@@ -205,10 +205,6 @@ All devices with access to a shared folder contain (at least) a Tahoe read-capab
In this design, we anticipate communicating (at least) a read-capability to the shared folder to an additional device. The impact of revealing this secret is high: a user can forever read updates, unbeknowst to anyone else. Guarding against accidental disclosure of this should be high priority.
**Threat**: impersonate a user
This is a superset of the above threat, more-or-less. Devices which can write to a shared folder also retain a Tahoe write-capability to record their changes (as Snapshots) to files. Anyone gaining knowledge of this capability can forever write updates that appear to be from the device that (legitmately) holds the write-capability. In addition, since Tahoe only allows (but doesn't enforce) a single writer, a malicious actor holding the write-capability could in theory render that device's updates to be inaccessible (corrupted) and future updates impossible. (This design doesn't allow a new device to write, so this threat isn't immediately relevant).
