10 Revoking access
When Alice tells Bob a secret and later regrets doing so, she can’t make Bob forget the secret without resorting to brain surgery. We feel brain surgery is beyond the scope of 1Password,18 and therefore users should be aware that once a secret has been shared the recipient cannot be forced to forget that secret.
We’re always happy for our colleagues when they move on to new adventures.
Tom and Gerry have been working on Widgets For Cows, Barnyard Gadgets’ new Internet of Things products, and it’s time for Tom to move on. Tom will get access to a new team and new shared vault.
Ricky, the team owner, adds Tom to the new vault. Adding a new member to a shared vault is very simple. A copy of the vault key will be encrypted with Tom’s public key so only Tom can decrypt it, and Tom will be sent a notification about the new shared vault. But what about his old access and Gerry’s new product plans for Widgets for Cows?
Ricky will remove Tom from the Widgets for Cows vault. Ricky can’t make Tom forget information that he’s already had and perhaps made a copy of, but Tom can be denied access to anything new added to the vault.
After Tom has been removed from the vault, Gerry creates a new Document called More Cow Bell for the vault. More Cow Bell will be encrypted with a key that’s encrypted by the vault key, but Tom should never get a copy of the encrypted Document item.
The next time Tom connects to the server, he will no longer be sent data from that vault. This server policy mechanism prevents Tom from receiving any new data from that vault. Furthermore, Tom’s client will be told to remove any copies of the vault key and the encrypted data it has stored for that vault. This client policy at least get a well behaved client to forget data and keys it should no longer have. Either of those policies is sufficient to prevent Tom from learning just how much cow bell Gerry thinks is enough.
We’ve made no formal decision on whether rocket science is also beyond its scope.↩︎