IPFS and authorization in a document management system

I’m considering using IPFS as a document management system using a private IPFS. The IPFS would be used to store documents by publisher clients and access documents by reader clients.

In order to to control who can read documents, I would encrypt the document with a symmetric key, then provide the symmetric key securely to the reader of the document by encrypting the symmetric key with the readers public asymmetric key. I think this would work well and prevent any unauthorized reader from reading the document (unless some reader shares the un-encrypted symmetric key).

Therefore a reader who knows the hash of the document they want can access IPFS to obtain the document and decrypt it.

The pre-condition is that the reader knows the hash of the document they want. Anything that is added to the IPFS will be of no interest to the reader. However, since anyone (not a legit publisher) who has access to the IPFS can add a document, then the IPFS can become polluted with documents even if there is no interest in them. This could lead to higher storage costs.

Is there a way to prevent anyone who has access to an IPFS node from adding new documents, such that only clients deemed to be publishers are able to add documents - yet still let everyone else request all documents?

Just a reminder that adding a file just means advertizing that you have a copy of this file and that you are ready to send it to the peers who ask for it. Someone adding a lot of junk won’t increase anybody’s need for space except their own. They can slow down the DHT though.

That’s a good point.