From 83b2318a0600b5ab4853461c5e77a9f08914f974 Mon Sep 17 00:00:00 2001
From: "Dustin J. Mitchell" <dustin@mozilla.com>
Date: Sat, 28 Dec 2019 11:24:20 -0500
Subject: [PATCH] backup scheme

---
 README.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/README.md b/README.md
index bc4440d47..4c857eeb2 100644
--- a/README.md
+++ b/README.md
@@ -72,6 +72,13 @@ Clients encrypt and sign these blobs using a symmetric key known only to the cli
 This secures the data at-rest on the server.
 Note that privacy is not complete, as the server still has some information about users, including source and frequency of synchronization transactions and size of those transactions.
 
+## Backups
+
+In this design, the server is little more than an authenticated storage for encrypted blobs provided by the client.
+To allow for failure or data loss on the server, clients are expected to cache these blobs locally for a short time (a week), along with a server-provided HMAC signature.
+When data loss is detected -- such as when a client expects the server to have a version N or higher, and the server only has N-1, the client can send those blobs to the server.
+The server can validate the HMAC and, if successful, add the blobs to its datastore.
+
 ## Expiration
 
 TBD