I’ve just taken a look at how device linking and discovery works. To me it seems hard to implement this using the current system.
In a cluster of three devices of which one is a non-trusted one, the other two have to come to an agreement about which key to encrypt all outgoing data to the third device with.
I’d think about a solution like this: (I think its actually the opposite of how introducers work.)
When you init the first device in the cluster, it is the only master device. It creates a private key to use for encrypting data for untrusted clients (you want to use the same key for all untrusted devices because otherwise more information than necessary is given away when there are a lot of untrusted devices)
Whenever you add a new device to a master device, you check a box to indicate if it is trusted or not. If it is trusted, you hand it the key so that it becomes a master device as well.
Introducers of course indicate to devices that the new device is untrusted.
A similar thing can be done to solve #62 (which I just stumbled upon), where source devices sign their changes with the master key required to make changes.
(I literally just minutes ago first looked at how syncthing works so this might be complete nonsense.)
Just thinking further here, this whole idea could actually be taken further to changing the device-based syncing towards cluster-based syncing/discovery.
Imagine that a syncthing cluster would be built around a private key (which could be backed up offline). The cluster would be identified by (a hash of) its public key.
- All trusted devices hold this key.
- Whenever you want to setup a new device, you enter the identifier and it will announce itself, asking for permission to the cluster.
- All trusted devices get a notification, asking what to do with the device. You can then decide what tp do with it
- Trust it and hand it the key.
- Make it a read-only device, handing it a signed message saying that it is a read-only device.
- Make it an encrypted device and hand it a signed message saying that it is an encrypted device.
- The new device then messages all other devices, proving her “role” in the cluster that has been given to her by another trusted device (this prove is either a self-made signed message with the key she received or the signed message she received)
- Now, when a device is advanced by a new device, the new device can authenticate itself using a signed message.
- The cool thing is, when all the trusted devices die are get stolen, you still have the backup of the key and can use it to find the untrusted devices that can hand you all the files in encrypted form. Of course validity checks have to be made, but that is certainly possible.
I’m probably driving it too far for the simple use cases syncthing is intended for, but such a system would allow for a lot new interesting use cases. It actually goes in the direction of a more distributed cloud solution, like Storj, f.e. (Storj is a really cool project, you should definitely take a look!)