Network Working Group P. Hallam-Baker
Internet-Draft Comodo Group Inc.
Intended status: Standards Track September 19, 2016
Expires: March 23, 2017

Mathematical Mesh: Web Application Binding
draft-hallambaker-mesh-app-web-00

Abstract

The Mathematical Mesh 'The Mesh' is an end-to-end secure infrastructure that facilitates the exchange of configuration and credential data between multiple user devices. This document describes the use of the Mesh to store Web application information.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on March 23, 2017.

Copyright Notice

Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Definitions

1.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

2. Introduction

The Mathematical Mesh is a personal PKI that permits a user to connect multiple devices to a 'personal profile' through which application information is shared between the connected devices. All Mesh communications are secured through a combination of end-to-end security to protect confidentiality and integrity and transport security to provide protection against traffic analysis.

A full description of the Mathematical Mesh architecture is to be found in [draft-hallambaker-mesh-architecture-01]

This document describes a proposed design for a demonstration of using the Mesh to provide a cloud based password manager for connected Web browsers. The approach may be readily extended to support management of Web bookmarks.

3. Password Management

Alice decides to use the Mesh to manage her Web usernames and passwords.

She creates two accounts:

The JSON encoding of the password data is as follows:

{
  "PasswordProfilePrivate": {
    "Entries": [{
        "Sites": ["example.com"],
        "Username": "alice",
        "Password": "secret"},
      {
        "Sites": ["cnn.com"],
        "Username": "alice1",
        "Password": "secret"}]}}

The JSON encoded password data is then encrypted and stored in an application profile as follows:

{
  "PasswordProfile": {
    "Identifier": "MCVSI-2OAGD-AN7GS-OTHBS-QHELX-AJCDO-A",
    "EncryptedData": {
      "protected": "
ewogICJhbGciOiAiQUUxMjgifQ",
      "iv": "
LIRu00HQBv5nwEjxJfQVoQ",
      "ciphertext": "
Fz39PhXGD38YAwzR_kL3VpundLNTamIkVWGcpuJF6397MGb57wXkrZoxYXLUsKRS",
      "recipients": [{
          "Header": {
            "kid": "MCXAL-463WQ-QKFAO-TTT3V-MEVW6-AJ2EE"},
          "encrypted_key": "
bvmF3YPt8ZnKDSPuUqzb9WC7aR0AC3XvozUq6fln5jXXoWzpeFBbHItBrN5PZ2MM
vxO-UQ3t0a5eLsQ8tAw8K3c1IDXbsFgTjnZ3GNUbFzD0SfU1L6twmhDHkxdN9gGC
a79GBFwc6ZD_4vNz9uANqSQptkvCTTDnCHnEooMoj2_gQE5tR5Oc7BSPm47RxBeR
I-CuyY7QhdyhrJNqgZm8X67Njy4fakMnCkwT-d3QnGY5tFWtrw42_9d7V3mXorLZ
IOE3KBJxteXiR-KUV6itlYfQVx6D-8oYaL1Ha_u7epIU24ivo9ilQZ8Av0ybg5pl
O619p9YPdRcrEfgUsRDMuA"},
        {
          "Header": {
            "kid": "MAWTR-QKK46-5DY3M-2UD2W-BR2MX-CAE2E"},
          "encrypted_key": "
GuRfv5is-QA66JIk-iFxNeOOeOdST6qYUm480JjKCtB0hJ2g6ArnvPuFCNykNNJ5
ui8YPlbI5hD1lpGocVR3EVZu6TI65ENN-5uecZ0mdcRrfQZBxvuzu3osAZWOgvoB
79Pk79skRfS6sZJ7Ph7NQwLXVOupmNkk0TrZbYWQgUc0SYufPcCZ1bgQT1gixuOB
xl-oqFB74Sv_rkpRMIl2SNGFohMIDHazHJUd0m0DUARqYL_-rdxKZC9PCodRYYhl
fNXJi3vgzu5fllxiSa21vma2PmVz9ERhepZebYkYJl2BrbF6bcen2wOGyGvx_1FP
qkKq6RJ2LSTikmt03JoG5g"}]}}}

As we saw earlier, Alice really needs to start using stronger passwords. Fortunately, having access to a password manager means that Alice doesn't need to remember different passwords for every site she uses any more.

In addition to offering to use the Mesh to remember passwords, a Web browser can offer to automatically generate a password for a site. This can be a much stronger password than the user would normally want to choose if they had to remember it.

Alice chooses to use password generation. Her password manager profile is updated to reflect this new choice.

{
  "PasswordProfilePrivate": {
    "AutoGenerate": true,
    "Entries": [{
        "Sites": ["example.com"],
        "Username": "alice",
        "Password": "secret"},
      {
        "Sites": ["cnn.com"],
        "Username": "alice1",
        "Password": "secret"}]}}

Alice is happy to use the password manager for her general Web sites but not for the password she uses to log in to her bank account. When asked if the password should be stored in the Mesh, Alice declines and asks not to be asked in the future.

{
  "PasswordProfilePrivate": {
    "AutoGenerate": true,
    "Entries": [{
        "Sites": ["example.com"],
        "Username": "alice",
        "Password": "secret"},
      {
        "Sites": ["cnn.com"],
        "Username": "alice1",
        "Password": "secret"}],
    "NeverAsk": ["bank.com"]}}

3.1. Bookmark Management

The use of the Mesh to store bookmarks is an obvious extension to use of the Mesh as a password manage. The principal differences being that the privacy concerns are somewhat less critical than storing credentials and a bookmark file is likely to be considerably longer than a password file.

The principal design challenge in adding bookmarks is working out how to provide a convenient interface to help the user manage their bookmarks. A hierarchical list of folders quickly becomes cluttered.

4. Application Schema

4.1. Password Application Profile Objects

4.1.1. Structure: PasswordProfile

Stores usernames and passwords

[None]

4.1.2. Structure: PasswordProfilePrivate

AutoGenerate: Boolean (Optional)

If true, a client MAY offer to automatically generate strong (i.e. not memorable) passwords for a user. A user would not normally want to use this feature unless they have access to Mesh password management on every device they use to browse the Web

Entries: PasswordEntry [0..Many]

A list of password credential entries.

NeverAsk: String [0..Many]

A list of domain names of sites for which clients MUST NOT ask to store passwords for.

4.1.3. Structure: PasswordEntry

Username password entry for a single site

Sites: String [0..Many]

DNS name of site *.example.com matches www.example.com etc.

Username: String (Optional)

Case sensitive username

Password: String (Optional)

Case sensitive password.

5. Demonstration

A demonstration of using the Mesh to manage Web browser passwords is described.

The end goal in developing the Mesh application protocols is to encourage application providers to provide native support for the Mesh rendering extensions obsolete. Such implementation is likely to be best encouraged through provision of a reference library in C.

I propose implementation of a demonstration as follows:

Platform Windows

Browser: Chrome

Approach:

Integration to browser features to be supported by platform independent extension module

Mesh integration to be provided by a platform specific executable written in C.

For initial testing / canned demo purposes, the Mesh integration module will be a 'stub' that access a data file at a defined location on disk that contains the PasswordProfilePrivate data structure. The task of synchronizing data with the Mesh will be performed using the Mesh profile management client.

Further development:

Implementation of the production extension by modifying the platform specific executable.

Support for macOS by implementing a Mac specific platform executable

Support for Linux by implementing a Mac specific platform executable

This approach allows the platform specific extensions to be tailored to the cryptographic key management capabilities offered by each platform. For example, the use of a TPM to protect private keys on Windows or the Keyring mechanism on macOS.

6. Normative References

[draft-hallambaker-mesh-architecture-01] , , "[Reference Not Found!]"
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.

Author's Address

Phillip Hallam-Baker Comodo Group Inc. EMail: philliph@comodo.com