Internet-Draft Mathematical Mesh Platform Configuration September 2016
Hallam-Baker Expires 23 March 2017 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-hallambaker-mesh-app-web-00
Published:
Intended Status:
Standards Track
Expires:
Author:
P. M. Hallam-Baker
Comodo Group Inc.

Mathematical Mesh: Web Application Binding

Abstract

The Mathematical Mesh 'The Mesh' is an end-to-end secure infrastructure that facilitates the exchange of configuration and credential data between multiple user devices. This document describes the use of the Mesh to store Web application information.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 23 March 2017.

Table of Contents

1. Definitions

1.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

2. Introduction

The Mathematical Mesh is a personal PKI that permits a user to connect multiple devices to a 'personal profile' through which application information is shared between the connected devices. All Mesh communications are secured through a combination of end-to-end security to protect confidentiality and integrity and transport security to provide protection against traffic analysis.

A full description of the Mathematical Mesh architecture is to be found in [draft-hallambaker-mesh-architecture-01]

This document describes a proposed design for a demonstration of using the Mesh to provide a cloud based password manager for connected Web browsers. The approach may be readily extended to support management of Web bookmarks.

3. Password Management

Alice decides to use the Mesh to manage her Web usernames and passwords.

She creates two accounts:

The JSON encoding of the password data is as follows:

{
  "PasswordProfilePrivate": {
    "Entries": [{
        "Sites": ["example.com"],
        "Username": "alice",
        "Password": "secret"},
      {
        "Sites": ["cnn.com"],
        "Username": "alice1",
        "Password": "secret"}]}}

The JSON encoded password data is then encrypted and stored in an application profile as follows:

{
  "PasswordProfile": {
    "Identifier": "MCVSI-2OAGD-AN7GS-OTHBS-QHELX-AJCDO-A",
    "EncryptedData": {
      "protected": "
ewogICJhbGciOiAiQUUxMjgifQ",
      "iv": "
LIRu00HQBv5nwEjxJfQVoQ",
      "ciphertext": "
Fz39PhXGD38YAwzR_kL3VpundLNTamIkVWGcpuJF6397MGb57wXkrZoxYXLUsKRS",
      "recipients": [{
          "Header": {
            "kid": "MCXAL-463WQ-QKFAO-TTT3V-MEVW6-AJ2EE"},
          "encrypted_key": "
bvmF3YPt8ZnKDSPuUqzb9WC7aR0AC3XvozUq6fln5jXXoWzpeFBbHItBrN5PZ2MM
vxO-UQ3t0a5eLsQ8tAw8K3c1IDXbsFgTjnZ3GNUbFzD0SfU1L6twmhDHkxdN9gGC
a79GBFwc6ZD_4vNz9uANqSQptkvCTTDnCHnEooMoj2_gQE5tR5Oc7BSPm47RxBeR
I-CuyY7QhdyhrJNqgZm8X67Njy4fakMnCkwT-d3QnGY5tFWtrw42_9d7V3mXorLZ
IOE3KBJxteXiR-KUV6itlYfQVx6D-8oYaL1Ha_u7epIU24ivo9ilQZ8Av0ybg5pl
O619p9YPdRcrEfgUsRDMuA"},
        {
          "Header": {
            "kid": "MAWTR-QKK46-5DY3M-2UD2W-BR2MX-CAE2E"},
          "encrypted_key": "
GuRfv5is-QA66JIk-iFxNeOOeOdST6qYUm480JjKCtB0hJ2g6ArnvPuFCNykNNJ5
ui8YPlbI5hD1lpGocVR3EVZu6TI65ENN-5uecZ0mdcRrfQZBxvuzu3osAZWOgvoB
79Pk79skRfS6sZJ7Ph7NQwLXVOupmNkk0TrZbYWQgUc0SYufPcCZ1bgQT1gixuOB
xl-oqFB74Sv_rkpRMIl2SNGFohMIDHazHJUd0m0DUARqYL_-rdxKZC9PCodRYYhl
fNXJi3vgzu5fllxiSa21vma2PmVz9ERhepZebYkYJl2BrbF6bcen2wOGyGvx_1FP
qkKq6RJ2LSTikmt03JoG5g"}]}}}

As we saw earlier, Alice really needs to start using stronger passwords. Fortunately, having access to a password manager means that Alice doesn't need to remember different passwords for every site she uses any more.

In addition to offering to use the Mesh to remember passwords, a Web browser can offer to automatically generate a password for a site. This can be a much stronger password than the user would normally want to choose if they had to remember it.

Alice chooses to use password generation. Her password manager profile is updated to reflect this new choice.

{
  "PasswordProfilePrivate": {
    "AutoGenerate": true,
    "Entries": [{
        "Sites": ["example.com"],
        "Username": "alice",
        "Password": "secret"},
      {
        "Sites": ["cnn.com"],
        "Username": "alice1",
        "Password": "secret"}]}}

Alice is happy to use the password manager for her general Web sites but not for the password she uses to log in to her bank account. When asked if the password should be stored in the Mesh, Alice declines and asks not to be asked in the future.

{
  "PasswordProfilePrivate": {
    "AutoGenerate": true,
    "Entries": [{
        "Sites": ["example.com"],
        "Username": "alice",
        "Password": "secret"},
      {
        "Sites": ["cnn.com"],
        "Username": "alice1",
        "Password": "secret"}],
    "NeverAsk": ["bank.com"]}}

3.1. Bookmark Management

The use of the Mesh to store bookmarks is an obvious extension to use of the Mesh as a password manage. The principal differences being that the privacy concerns are somewhat less critical than storing credentials and a bookmark file is likely to be considerably longer than a password file.

The principal design challenge in adding bookmarks is working out how to provide a convenient interface to help the user manage their bookmarks. A hierarchical list of folders quickly becomes cluttered.

4. Application Schema

4.1. Password Application Profile Objects

4.1.1. Structure: PasswordProfile

    • Inherits: ApplicationProfile

Stores usernames and passwords

[None]

4.1.2. Structure: PasswordProfilePrivate

AutoGenerate: Boolean (Optional)

If true, a client MAY offer to automatically generate strong (i.e. not memorable) passwords for a user. A user would not normally want to use this feature unless they have access to Mesh password management on every device they use to browse the Web

Entries: PasswordEntry [0..Many]

A list of password credential entries.

NeverAsk: String [0..Many]

A list of domain names of sites for which clients MUST NOT ask to store passwords for.

4.1.3. Structure: PasswordEntry

Username password entry for a single site

Sites: String [0..Many]

DNS name of site *.example.com matches www.example.com etc.

Username: String (Optional)

Case sensitive username

Password: String (Optional)

Case sensitive password.

5. Demonstration

A demonstration of using the Mesh to manage Web browser passwords is described.

The end goal in developing the Mesh application protocols is to encourage application providers to provide native support for the Mesh rendering extensions obsolete. Such implementation is likely to be best encouraged through provision of a reference library in C.

I propose implementation of a demonstration as follows:

Platform Windows

Browser: Chrome

Approach:

Integration to browser features to be supported by platform independent extension module

Mesh integration to be provided by a platform specific executable written in C.

For initial testing / canned demo purposes, the Mesh integration module will be a 'stub' that access a data file at a defined location on disk that contains the PasswordProfilePrivate data structure. The task of synchronizing data with the Mesh will be performed using the Mesh profile management client.

Further development:

Implementation of the production extension by modifying the platform specific executable.

Support for macOS by implementing a Mac specific platform executable

Support for Linux by implementing a Mac specific platform executable

This approach allows the platform specific extensions to be tailored to the cryptographic key management capabilities offered by each platform. For example, the use of a TPM to protect private keys on Windows or the Keyring mechanism on macOS.

6. Normative References

[draft-hallambaker-mesh-architecture-01]
"[Reference Not Found!]".
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.

Author's Address

Phillip Hallam-Baker
Comodo Group Inc.