Network Working Group | P. Hallam-Baker |
Internet-Draft | Comodo Group Inc. |
Intended status: Informational | August 18, 2017 |
Expires: February 19, 2018 |
Mathematical Mesh: Web Application Binding
draft-hallambaker-mesh-app-web-01
The Mathematical Mesh ?The Mesh? is an end-to-end secure infrastructure that facilitates the exchange of configuration and credential data between multiple user devices. This document describes the use of the Mesh to store Web application information.
This document is also available online at http://prismproof.org/Documents/draft-hallambaker-mesh-app-web.html .
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 19, 2018.
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This section presents the related specifications and standard, the terms that are used as terms of art within the documents and the terms used as requirements language.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] .
The related specifications are described in the Mesh Architecture specification [draft-hallambaker-mesh-architecture]
No terms of art are defined.
The implementation status of the reference code base is described in the companion document [draft-hallambaker-mesh-developer] .
The Mathematical Mesh is a personal PKI that permits a user to connect multiple devices to a ?personal profile? through which application information is shared between the connected devices. All Mesh communications are secured through a combination of end-to-end security to protect confidentiality and integrity and transport security to provide protection against traffic analysis.
A full description of the Mathematical Mesh architecture is to be found in [draft-hallambaker-mesh-architecture]
This document describes a proposed design for a demonstration of using the Mesh to provide a cloud based password manager for connected Web browsers. The approach may be readily extended to support management of Web bookmarks.
Alice decides to use the Mesh to manage her Web usernames and passwords.
She creates two accounts:
The JSON encoding of the password data is as follows:
{ "PasswordProfilePrivate": { "Entries": [{ "Sites": ["example.com"], "Username": "alice", "Password": "password2"}]}}
Figure 1
The JSON encoded password data is then encrypted and stored in an application profile as follows:
{ "PasswordProfile": { "Identifier": "MBMBD-JYUK7-3BQG2-NZKFE-CMW5J-IUSRB-A"}}
Figure 2
As we saw earlier, Alice really needs to start using stronger passwords. Fortunately, having access to a password manager means that Alice doesn't need to remember different passwords for every site she uses any more.
In addition to offering to use the Mesh to remember passwords, a Web browser can offer to automatically generate a password for a site. This can be a much stronger password than the user would normally want to choose if they had to remember it.
Alice chooses to use password generation. Her password manager profile is updated to reflect this new choice.
{ "PasswordProfilePrivate": { "Entries": [{ "Sites": ["example.com"], "Username": "alice", "Password": "password2"}]}}
Figure 3
Alice is happy to use the password manager for her general Web sites but not for the password she uses to log in to her bank account. When asked if the password should be stored in the Mesh, Alice declines and asks not to be asked in the future.
{ "PasswordProfilePrivate": { "Entries": [{ "Sites": ["example.com"], "Username": "alice", "Password": "password2"}]}}
Figure 4
The use of the Mesh to store bookmarks is an obvious extension to use of the Mesh as a password manage. The principal differences being that the privacy concerns are somewhat less critical than storing credentials and a bookmark file is likely to be considerably longer than a password file.
The principal design challenge in adding bookmarks is working out how to provide a convenient interface to help the user manage their bookmarks. A hierarchical list of folders quickly becomes cluttered.
Stores usernames and passwords
[None]
Private part of the profile.
If true, a client MAY offer to automatically generate strong (i.e. not memorable) passwords for a user. A user would not normally want to use this feature unless they have access to Mesh password management on every device they use to browse the Web
A list of password credential entries.
A list of domain names of sites for which clients MUST NOT ask to store passwords for.
Username password entry for a single site
DNS name of site *.example.com matches www.example.com etc.
Case sensitive username
Case sensitive password.
A demonstration of using the Mesh to manage Web browser passwords is described.
The end goal in developing the Mesh application protocols is to encourage application providers to provide native support for the Mesh rendering extensions obsolete. Such implementation is likely to be best encouraged through provision of a reference library in C.
I propose implementation of a demonstration as follows:
Platform Windows
Browser: Chrome
Approach:
Integration to browser features to be supported by platform independent extension module
Mesh integration to be provided by a platform specific executable written in C.
For initial testing / canned demo purposes, the Mesh integration module will be a ?stub? that access a data file at a defined location on disk that contains the PasswordProfilePrivate data structure. The task of synchronizing data with the Mesh will be performed using the Mesh profile management client.
Further development:
Implementation of the production extension by modifying the platform specific executable.
Support for macOS by implementing a Mac specific platform executable
Support for Linux by implementing a Mac specific platform executable
This approach allows the platform specific extensions to be tailored to the cryptographic key management capabilities offered by each platform. For example, the use of a TPM to protect private keys on Windows or the Keyring mechanism on macOS.
[draft-hallambaker-mesh-architecture] | Hallam-Baker, P., "Mathematical Mesh: Architecture", Internet-Draft draft-hallambaker-mesh-architecture-03, May 2017. |
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
[draft-hallambaker-mesh-developer] | Hallam-Baker, P., "Mathematical Mesh: Developer's Guide", Internet-Draft draft-hallambaker-mesh-developer-02, September 2016. |