--- /dev/null
+= Grid Identifiers =
+
+What makes up a Tahoe "grid"? The rough answer is a fairly-stable set of
+Storage Servers.
+
+The read- and write- caps that point to files and directories are scoped to a
+particular set of servers. The Tahoe peer-selection and erasure-coding
+algorithms provide high availability as long as there is significant overlap
+between the servers that were used for upload and the servers that are
+available for subsequent download. When new peers are added, the shares will
+get spread out in the search space, so clients must work harder to download
+their files. When peers are removed, shares are lost, and file health is
+threatened. Repair bandwidth must be used to generate new shares, so cost
+increases with the rate of server departure. If servers leave the grid too
+quickly, repair may not be able to keep up, and files will be lost.
+
+So to get long-term stability, we need that peer set to remain fairly stable.
+A peer which joins the grid needs to stick around for a while.
+
+== Multiple Grids ==
+
+The current Tahoe read-cap format doesn't admit the existence of multiple
+grids. In fact, the "URI:" prefix implies that these cap strings are
+universal: it suggests that this string (plus some protocol definition) is
+completely sufficient to recover the file.
+
+However, there are a variety of reasons why we may want to have more than one
+Tahoe grid in the world:
+
+ * scaling: there are a variety of problems that are likely to be encountered
+ as we attempt to grow a Tahoe grid from a few dozen servers to a few
+ thousand, some of which are easier to deal with than others. Maintaining
+ connections to servers and keeping up-to-date on the locations of servers
+ is one issue. There are design improvements that can work around these,
+ but they will take time, and we may not want to wait for that work to be
+ done. Begin able to deploy multiple grids may be the best way to get a
+ large number of clients using tahoe at once.
+
+ * managing quality of storage, storage allocation: the members of a
+ friendnet may want to restrict access to storage space to just each other,
+ and may want to run their grid without involving any external coordination
+
+ * commercial goals: a company using Tahoe may want to restrict access to
+ storage space to just their customers
+
+ * protocol upgrades, development: new and experimental versions of the tahoe
+ software may need to be deployed and analyzed in isolation from the grid
+ that clients are using for active storage
+
+So if we define a grid to be a set of storage servers, then two distinct
+grids will have two distinct sets of storage servers. Clients are free to use
+whichever grid they like (and have permission to use), however each time they
+upload a file, they must choose a specific grid to put it in. Clients can
+upload the same file to multiple grids in two separate upload operations.
+
+== Grid IDs in URIs ==
+
+Each URI needs to be scoped to a specific grid, to avoid confusion ("I looked
+for URI123 and it said File Not Found.. oh, which grid did you upload that
+into?"). To accomplish this, the URI will contain a "grid identifier" that
+references a specific Tahoe grid. The grid ID is shorthand for a relatively
+stable set of storage servers.
+
+To make the URIs actually Universal, there must be a way to get from the grid
+ID to the actual grid. This document defines a protocol by which a client
+that wants to download a file from a previously-unknown grid will be able to
+locate and connect to that grid.
+
+== Grid ID specification ==
+
+The Grid ID is a string, using a fairly limited character set, alphanumerics
+plus possibly a few others. It can be very short: a gridid of just "0" can be
+used. The gridID will be copied into the cap string for every file that is
+uploaded to that grid, so there is pressure to keep them short.
+
+The cap format needs to be able to distinguish the gridID from the rest of
+the cap. This could be expressed in DNS-style dot notation, for example the
+directory write-cap with a write-key of "0ZrD.." that lives on gridID "foo"
+could be expressed as "D0ZrDNAHuxs0XhYJNmkdicBUFxsgiHzMdm.foo" .
+
+ * design goals: non-word-breaking, double-click-pasteable, maybe
+ human-readable (do humans need to know which grid is being used? probably
+ not).
+ * does not need to be Secure (i.e. long and unguessable), but we must
+ analyze the sorts of DoS attack that can result if it is not (and even
+ if it is)
+ * does not need to be human-memorable, although that may assist debugging
+ and discussion ("my file is on grid 4, where is yours?)
+ * *does* need to be unique, but the total number of grids is fairly small
+ (counted in the hundreds or thousands rather than millions or billions)
+ and we can afford to coordinate the use of short names. Folks who don't
+ like coordination can pick a largeish random string.
+
+Each announcement that a Storage Server publishes (to introducers) will
+include its grid id. If a server participates in multiple grids, it will make
+multiple announcements, each with a single grid id. Clients will be able to
+ask an introducer for information about all storage servers that participate
+in a specific grid.
+
+Clients are likely to have a default grid id, to which they upload files. If
+a client is adding a file to a directory that lives in a different grid, they
+may upload the file to that other grid instead of their default.
+
+== Getting from a Grid ID to a grid ==
+
+When a client decides to download a file, it starts by unpacking the cap and
+extracting the grid ID.
+
+Then it attempts to connect to at least one introducer for that grid, by
+leveraging DNS:
+
+ hash $GRIDID id (with some tag) to get a long base32-encoded string: $HASH
+
+ GET http://tahoe-$HASH.com/introducer/gridid/$GRIDID
+
+ the results should be a JSON-encoded list of introducer FURLs
+
+ for extra redundancy, if that query fails, perform the following additional
+ queries:
+
+ GET http://tahoe-$HASH.net/introducer/gridid/$GRIDID
+ GET http://tahoe-$HASH.org/introducer/gridid/$GRIDID
+ GET http://tahoe-$HASH.tv/introducer/gridid/$GRIDID
+ GET http://tahoe-$HASH.info/introducer/gridid/$GRIDID
+ etc
+ GET http://tahoe-grids.allmydata.com/introducer/gridid/$GRIDID
+
+ The first few introducers should be able to announce other introducers, via
+ the distributed gossip-based introduction scheme of #68.
+
+Properties:
+
+ * claiming a grid ID is cheap: a single domain name registration (in an
+ uncontested namespace), and a simple web server. allmydata.com can publish
+ introducer FURLs for grids that don't want to register their own domain.
+
+ * lookup is at least as robust as DNS. By using benevolent public services
+ like tahoe-grids.allmydata.com, reliability can be increased further. The
+ HTTP fetch can return a list of every known server node, all of which can
+ act as introducers.
+
+ * not secure: anyone who can interfere with DNS lookups (or claims
+ tahoe-$HASH.com before you do) can cause clients to connect to their
+ servers instead of yours. This admits a moderate DoS attack against
+ download availability. Performing multiple queries (to .net, .org, etc)
+ and merging the results may mitigate this (you'll get their servers *and*
+ your servers; the download search will be slower but is still likely to
+ succeed). It may admit an upload DoS attack as well, or an upload
+ file-reliability attack (trick you into uploading to unreliable servers)
+ depending upon how the "server selection policy" (see below) is
+ implemented.
+
+Once the client is connected to an introducer, it will see if there is a
+Helper who is willing to assist with the upload or download. (For download,
+this might reduce the number of connections that the grid's storage servers
+must deal with). If not, ask the introducers for storage servers, and connect
+to them directly.
+
+== Controlling Access ==
+
+The introducers are not used to enforce access control. Instead, a system of
+public keys are used.
+
+There are a few kinds of access control that we might want to implement:
+
+ * protect storage space: only let authorized clients upload/consume storage
+ * protect download bandwidth: only give shares to authorized clients
+ * protect share reliability: only upload shares to "good" servers
+
+The first two are implemented by the server, to protect their resources. The
+last is implemented by the client, to avoid uploading shares to unreliable
+servers (specifically, to maximize the utility of the client's limited upload
+bandwidth: there's no problem with putting shares on unreliable peers per se,
+but it is a problem if doing so means the client won't put a share on a more
+reliable peer).
+
+The first limitation (protect storage space) will be implemented by public
+keys and signed "storage authority" certificates. The client will present
+some credentials to the storage server to convince it that the client
+deserves the space. When storage servers are in this mode, they will have a
+certificate that names a public key, and any credentials that can demonstrate
+a path from that key will be accepted. This scheme is described in
+docs/accounts-pubkey.txt .
+
+The second limitation is unexplored. The read-cap does not currently contain
+any notion of who must pay for the bandwidth incurred.
+
+The third limitation (only upload to "good" servers), when enabled, is
+implemented by a "server selection policy" on the client side, which defines
+which server credentials will be accepted. This is just like the first
+limitation in reverse. Before clients consider including a server in their
+peer selection algorithm, they check the credentials, and ignore any that do
+not meet them.
+
+This means that a client may not wish to upload anything to "foreign grids",
+because they have no promise of reliability. The reasons that a client might
+want to upload to a foreign grid need to be examined: reliability may not be
+important, or it might be good enough to upload the file to the client's
+"home grid" instead.
+
+The server selection policy is intended to be fairly open-ended: we can
+imagine a policy that says "upload to any server that has a good reputation
+among group X", or more complicated schemes that require less and less
+centralized management. One important and simple scheme is to simply have a
+list of acceptable keys: a friendnet with 5 members would include 5 such keys
+in each policy, enabling every member to use the services of the others,
+without having a single central manager with unilateral control over the
+definition of the group.
+
+== Closed Grids ==
+
+To implement these access controls, each client needs to be configured with
+three things:
+
+ * home grid ID (used to find introducers, helpers, storage servers)
+ * storage authority (certificate to enable uploads)
+ * server selection policy (identify good/reliable servers)
+
+If the server selection policy indicates centralized control (i.e. there is
+some single key X which is used to sign the credentials for all "good"
+servers), then this could be built in to the grid ID. By using the base32
+hash of the pubkey as the grid ID, clients would only need to be configured
+with two things: the grid ID, and their storage authority. In this case, the
+introducer would provide the pubkey, and the client would compare the hashes
+to make sure they match. This is analogous to how a TubID is used in a FURL.
+
+Such grids would have significantly larger grid IDs, 24 characters or more.