Network Working Group P. Hallam-Baker Internet-Draft Comodo Group Inc. Intended status: Informational April 11, 2018 Expires: October 13, 2018 Mathematical Mesh: Platform Configuration draft-hallambaker-mesh-platform-03 Abstract The Mathematical Mesh ?The Mesh? is an end-to-end secure infrastructure that facilitates the exchange of configuration and credential data between multiple user devices. This document describes how Mesh profiles are stored for application access on Windows, Linux and OSX platforms. This document is also available online at http://prismproof.org/Documents/draft-hallambaker-mesh-platform.html [1] . Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on October 13, 2018. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect Hallam-Baker Expires October 13, 2018 [Page 1] Internet-Draft Mathematical Mesh Platform Configuration April 2018 to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2.2. Defined Terms . . . . . . . . . . . . . . . . . . . . . . 3 2.3. Related Specifications . . . . . . . . . . . . . . . . . 3 2.4. Implementation Status . . . . . . . . . . . . . . . . . . 3 3. Windows Platform Configuration . . . . . . . . . . . . . . . 3 3.1. Registry Key Entries . . . . . . . . . . . . . . . . . . 4 3.2. Data File Locations . . . . . . . . . . . . . . . . . . . 5 3.3. Key Store Entries . . . . . . . . . . . . . . . . . . . . 5 3.4. Profiles . . . . . . . . . . . . . . . . . . . . . . . . 5 3.4.1. Locating a personal profile . . . . . . . . . . . . . 5 3.4.2. Locating a device profile . . . . . . . . . . . . . . 5 3.4.3. Locating an application profile . . . . . . . . . . . 5 4. OSX Platform Configuration . . . . . . . . . . . . . . . . . 5 4.1. Key Storage . . . . . . . . . . . . . . . . . . . . . . . 6 5. Linux Platform Configuration . . . . . . . . . . . . . . . . 6 5.1. Key Storage . . . . . . . . . . . . . . . . . . . . . . . 6 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 8.1. Normative References . . . . . . . . . . . . . . . . . . 7 8.2. Informative References . . . . . . . . . . . . . . . . . 7 8.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction This document describes recommended platform specific configuration for Mathematical Mesh applications. The use of common conventions for storage of profiles and private keys allows mesh enabled applications to interoperate on the same machine. Protecting private key material from disclosure to other processes presents complex and difficult technical challenges. Ensuring that a key is properly erased from storage before memory is released relies on a complex series of assumptions about memory management at the compiler, operating system and the platform level. For maximum security, the use of private key storage facilities provided by the platform is preferred. Hallam-Baker Expires October 13, 2018 [Page 2] Internet-Draft Mathematical Mesh Platform Configuration April 2018 2. Definitions This section presents the related specifications and standard, the terms that are used as terms of art within the documents and the terms used as requirements language. 2.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119] . 2.2. Defined Terms The terms of art used in this document are described in the Mesh Architecture Guide [draft-hallambaker-mesh-architecture] . 2.3. Related Specifications The architecture of the Mathematical Mesh is described in the Mesh Architecture Guide [draft-hallambaker-mesh-architecture] . The Mesh documentation set and related specifications are described in this document. 2.4. Implementation Status The implementation status of the reference code base is described in the companion document [draft-hallambaker-mesh-developer] . 3. Windows Platform Configuration The Windows Configuration is stored in a combination of Windows Key Store entries, registry entries and data files. The profiles that are available to a user are specified as Windows registry keys. Cached and archival copies of profiles are stored on the local machine as data files with file names and locations specified in the Windows registry. Cryptographic keys are stored in a Windows key store. To locate a device, application or personal profile, an application: Searches for a Windows registry entry that matches the relevant criteria. Hallam-Baker Expires October 13, 2018 [Page 3] Internet-Draft Mathematical Mesh Platform Configuration April 2018 Retrieves the profile data from either a local cached copy or the corresponding portal. Accesses the corresponding private keys through the Windows key store. The Windows Key store is the natural storage location for cryptographic keys on the Windows platform as keys are at minimum protected by the operating system access control mechanism. The Windows key store also permits the use of cryptographic hardware devices. 3.1. Registry Key Entries All keys used by the Mathematical Mesh are stored in the following Windows registry location: HKEY_CURRENT_USER\SOFTWARE\CryptoMesh This location has the following sub keys: PersonalProfiles (Default) -> UDF fingerprint of the default personal profile PersonalProfiles\<UDF> (Default) -> File location for the profile. Archive -> File location for the profile archive. Portals -> Multistring containing portal accounts to which the profile is registered. The default portal is first. ApplicationProfiles Web -> UDF fingerprint of default Web Application profile SSH -> UDF fingerprint of default SSH Application profile Network -> UDF fingerprint of default network Application profile Mail -> UDF fingerprint of default Mail Application profile -> File location of profile DeviceProfiles (Default) -> UDF fingerprint of default device profile -> File location of device profile Hallam-Baker Expires October 13, 2018 [Page 4] Internet-Draft Mathematical Mesh Platform Configuration April 2018 3.2. Data File Locations ApplicationData \CryptoMesh\ 3.3. Key Store Entries 3.4. Profiles 3.4.1. Locating a personal profile To locate the default personal profile, an application: Retrieves the key PersonalProfiles\(Default) to get Locates the profile with identifier To locate the personal profile with identifier UDF, an application: Retrieves the key PersonalProfiles\ Retrieves the latest version of the profile from the location specified in PersonalProfiles\\(Default) If necessary, the profile is refreshed from one of the accounts specified in PersonalProfiles\\Portal In case of an inconsistency being detected, the application MAY use the archived copies of the profile to resynchronize. Note that having been connected to a profile at some time in the past does not guarantee that a device currently has access, even if the device in question was an administration device for the profile. 3.4.2. Locating a device profile To locate a device profile an application 3.4.3. Locating an application profile To locate a device profile an application 4. OSX Platform Configuration The OSX configuration is stored in a combination of a master configuration file, profile data files and the OSX KeyChain The profiles that are available to a user are stored in a JSON configuration file Hallam-Baker Expires October 13, 2018 [Page 5] Internet-Draft Mathematical Mesh Platform Configuration April 2018 Cached and archival copies of profiles are stored on the local machine as data files with file names and locations specified in the JSON configuration file Cryptographic keys are stored in the OSX Key Chain. File locations The JSON Configuration file is stored in ~/.cryptomesh/profiles.json Profile data files are stored in a directory ~/.cryptomesh/ The latest copy of the profile is stored in .mmm An archive containing all the stored profiles is stored in .all.mmm 4.1. Key Storage Private keys are stored in the OSX Key Manager in some fashion to be decided later. 5. Linux Platform Configuration The Linux configuration is stored in a combination of a master configuration file, profile data files and private key files. The file layout of the Linux configuration and data files is identical to that of OSX. 5.1. Key Storage Private Keys are stored in the locations that the Linux applications that are to use them expect to find them. 6. IANA Considerations None 7. Acknowledgements TBS 8. References Hallam-Baker Expires October 13, 2018 [Page 6] Internet-Draft Mathematical Mesh Platform Configuration April 2018 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. 8.2. Informative References [draft-hallambaker-mesh-architecture] Hallam-Baker, P., "Mathematical Mesh: Architecture", draft-hallambaker-mesh-architecture-04 (work in progress), September 2017. [draft-hallambaker-mesh-developer] Hallam-Baker, P., "Mathematical Mesh: Reference Implementation", draft-hallambaker-mesh-developer-06 (work in progress), April 2018. 8.3. URIs [1] http://prismproof.org/Documents/draft-hallambaker-mesh- platform.html Author's Address Phillip Hallam-Baker Comodo Group Inc. Email: philliph@comodo.com Hallam-Baker Expires October 13, 2018 [Page 7]