Bootstrapping Online Identity
ARPA2 intends to provision domain name owners with strong cryptography. To that end, it develops and extends technology and builds concrete applications and services. This project focusses on bootstrapping similar handles for strong cryptography, for a more modest class of users.
ARPA2 aims at an Internet with proper control, privacy and security for each of its users.
-
For authentication we have selected the SSO solution of Kerberos5, and we even expand on it in our TLS-KDH and realm crossover projects.
-
To distribute public key material, we have selected LDAP, and more specifically the idea of a Global Directory.
-
To facilitate access to private key material, we selected PKCS #11, possible over secure proxy connections.
We work to integrate these things into a hosting environment, and to replace the LAMP stack that has been static for 25 years, and caused problems in the areas of stateful service, script kiddies, database backends and of course authentication. But this will not be realised overnight; we need a path for anyone to get on board with the selected technologies; we need identity bootstrapping for users who have not setup their own infrastructure.
This research project therefore aims to create a few components that can be
used step by step (including DNS settings) to establish an ever-improving
strength for online identities. Website owners could use this in GUEST
subdomain, to help visitors who have no other identity provider yet. The
following components should be further developed from our initial, exploratory
work:
YOURREALM.ORG
enables users to get Kerberos tickets based on their mail address. An example could bejoe\@example.com@YOURREALM.ORG
and, once Joe gets the right DNS SRV records underexample.com
, he might migrate tojoe@EXAMPLE.COM
.LDAPhosting.org
hosts public data for X.509 keys, OpenPGP keys and OpenSSH keys. The site can also generate key pairs, with private keys stored over (remote) PKCS #11. Authentication toLDAPhosting.org
will be through Kerberos, for instance fromYOURREALM.ORG
. Other forms of identity may be accepted from our TLS Pool.- A second form of identity available to all would be based on phone
numbers (which become domain names through
ENUM technology).
The only aspect involved here would be to
translate phone numbers
like
+1234567890
to a DNS zone0.9.8.7.6.5.4.3.2.1.e164.arpa
.
The research in this assignment is to find practical mechanisms to bootstrap secure identity for end-users through these services. This work involves security awareness, as well as staying mindful of an easy process through which end users can be guided to get as much security as they can get, given what mechanisms they have available.
ARPA2 is a development project with strong R&D components. Guidance to this
project is done by Dr.ir. Rick van Rein of OpenFortress, in return for which
a minimal, yet working implementation of YOURREALM.ORG
and LDAPhosting.org
must be delivered. Basic, well-structured code for these services is already
available. The work
needed for YOURREALM.ORG
will include small patches to MIT krb5 to enable
Canonicalization, the work needed for LDAPhosting.org
will include the
setup of credentials in PKCS #11 and LDAP. Aside from the MIT krb5 patching
work, the current site code is written in Python.
Research Questions
Internet Protocols provide many hints about online identity; they differ in their security strength, but might be combined and perhaps repeated to increase the claim of an online identity.
- Find combinations of protocols / timing that give stronger proof of identity than the current assumption, which is being able to read an email.
- Find procedures to gradually improve the security strength, perhaps by using something from one protocol, and use it to propell the strength of another.
- Quantify the security strength for the methods, so they may be compared and/or classified.
Build a minimal but practical system to demonstrate these findings.