ARPA2 intends to provision domain name owners with strong cryptography. To that end, it develops and extends technology and builds concrete applications and services. This project focusses on bootstrapping similar handles for strong cryptography, for a more modest class of users.
ARPA2 aims at an Internet with proper control, privacy and security for each of its users.
To distribute public key material, we have selected LDAP, and more specifically the idea of a Global Directory.
To facilitate access to private key material, we selected PKCS #11, possible over secure proxy connections.
We work to integrate these things into a hosting environment, and to replace the LAMP stack that has been static for 25 years, and caused problems in the areas of stateful service, script kiddies, database backends and of course authentication. But this will not be realised overnight; we need a path for anyone to get on board with the selected technologies; we need identity bootstrapping for users who have not setup their own infrastructure.
This research project therefore aims to create a few components that can be
used step by step (including DNS settings) to establish an ever-improving
strength for online identities. Website owners could use this in
subdomain, to help visitors who have no other identity provider yet. The
following components should be further developed from our initial, exploratory
YOURREALM.ORGenables users to get Kerberos tickets based on their mail address. An example could be
joe\@example.com@YOURREALM.ORGand, once Joe gets the right DNS SRV records under
example.com, he might migrate to
LDAPhosting.orghosts public data for X.509 keys, OpenPGP keys and OpenSSH keys. The site can also generate key pairs, with private keys stored over (remote) PKCS #11. Authentication to
LDAPhosting.orgwill be through Kerberos, for instance from
YOURREALM.ORG. Other forms of identity may be accepted from our TLS Pool.
- A second form of identity available to all would be based on phone
numbers (which become domain names through
The only aspect involved here would be to
translate phone numbers
+1234567890to a DNS zone
The research in this assignment is to find practical mechanisms to bootstrap secure identity for end-users through these services. This work involves security awareness, as well as staying mindful of an easy process through which end users can be guided to get as much security as they can get, given what mechanisms they have available.
ARPA2 is a development project with strong R&D components. Guidance to this
project is done by Dr.ir. Rick van Rein of OpenFortress, in return for which
a minimal, yet working implementation of
must be delivered. Basic, well-structured code for these services is already
available. The work
YOURREALM.ORG will include small patches to MIT krb5 to enable
Canonicalization, the work needed for
LDAPhosting.org will include the
setup of credentials in PKCS #11 and LDAP. Aside from the MIT krb5 patching
work, the current site code is written in Python.
Internet Protocols provide many hints about online identity; they differ in their security strength, but might be combined and perhaps repeated to increase the claim of an online identity.
- Find combinations of protocols / timing that give stronger proof of identity than the current assumption, which is being able to read an email.
- Find procedures to gradually improve the security strength, perhaps by using something from one protocol, and use it to propell the strength of another.
- Quantify the security strength for the methods, so they may be compared and/or classified.
Build a minimal but practical system to demonstrate these findings.