ARPA2 intends to provision domain name owners with strong cryptography. To that end, it develops and extends technology and builds concrete applications and services. This project focusses on bootstrapping similar handles for strong cryptography, for a more modest class of users.

ARPA2 aims at an Internet with proper control, privacy and security for each of its users.

  • For authentication we have selected the SSO solution of Kerberos5, and we even expand on it in our TLS-KDH and realm crossover projects.

  • To distribute public key material, we have selected LDAP, and more specifically the idea of a Global Directory.

  • To facilitate access to private key material, we selected PKCS #11, possible over secure proxy connections.

We work to integrate these things into a hosting environment, and to replace the LAMP stack that has been static for 25 years, and caused problems in the areas of stateful service, script kiddies, database backends and of course authentication. But this will not be realised overnight; we need a path for anyone to get on board with the selected technologies; we need identity bootstrapping for users who have not setup their own infrastructure.

This research project therefore aims to create a few components that can be used step by step (including DNS settings) to establish an ever-improving strength for online identities. Website owners could use this in GUEST subdomain, to help visitors who have no other identity provider yet. The following components should be further developed from our initial, exploratory work:

  • YOURREALM.ORG enables users to get Kerberos tickets based on their mail address. An example could be joe\@example.com@YOURREALM.ORG and, once Joe gets the right DNS SRV records under example.com, he might migrate to joe@EXAMPLE.COM.
  • LDAPhosting.org hosts public data for X.509 keys, OpenPGP keys and OpenSSH keys. The site can also generate key pairs, with private keys stored over (remote) PKCS #11. Authentication to LDAPhosting.org will be through Kerberos, for instance from YOURREALM.ORG. Other forms of identity may be accepted from our TLS Pool.
  • A second form of identity available to all would be based on phone numbers (which become domain names through ENUM technology). The only aspect involved here would be to translate phone numbers like +1234567890 to a DNS zone 0.9.8.7.6.5.4.3.2.1.e164.arpa.

The research in this assignment is to find practical mechanisms to bootstrap secure identity for end-users through these services. This work involves security awareness, as well as staying mindful of an easy process through which end users can be guided to get as much security as they can get, given what mechanisms they have available.

ARPA2 is a development project with strong R&D components. Guidance to this project is done by Dr.ir. Rick van Rein of OpenFortress, in return for which a minimal, yet working implementation of YOURREALM.ORG and LDAPhosting.org must be delivered. Basic, well-structured code for these services is already available. The work needed for YOURREALM.ORG will include small patches to MIT krb5 to enable Canonicalization, the work needed for LDAPhosting.org will include the setup of credentials in PKCS #11 and LDAP. Aside from the MIT krb5 patching work, the current site code is written in Python.

Research Questions

Internet Protocols provide many hints about online identity; they differ in their security strength, but might be combined and perhaps repeated to increase the claim of an online identity.

  • Find combinations of protocols / timing that give stronger proof of identity than the current assumption, which is being able to read an email.
  • Find procedures to gradually improve the security strength, perhaps by using something from one protocol, and use it to propell the strength of another.
  • Quantify the security strength for the methods, so they may be compared and/or classified.

Build a minimal but practical system to demonstrate these findings.