idnits 2.17.1 draft-hallambaker-mesh-app-web-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 19, 2016) is 2775 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'None' is mentioned on line 216, but not defined Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hallam-Baker 3 Internet-Draft Comodo Group Inc. 4 Intended status: Standards Track September 19, 2016 5 Expires: March 23, 2017 7 Mathematical Mesh: Web Application Binding 8 draft-hallambaker-mesh-app-web-00 10 Abstract 12 The Mathematical Mesh 'The Mesh' is an end-to-end secure 13 infrastructure that facilitates the exchange of configuration and 14 credential data between multiple user devices. This document 15 describes the use of the Mesh to store Web application information. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on March 23, 2017. 34 Copyright Notice 36 Copyright (c) 2016 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 2 52 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 53 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 3. Password Management . . . . . . . . . . . . . . . . . . . . . 2 55 3.1. Bookmark Management . . . . . . . . . . . . . . . . . . . 5 56 4. Application Schema . . . . . . . . . . . . . . . . . . . . . 5 57 4.1. Password Application Profile Objects . . . . . . . . . . 6 58 4.1.1. Structure: PasswordProfile . . . . . . . . . . . . . 6 59 4.1.2. Structure: PasswordProfilePrivate . . . . . . . . . . 6 60 4.1.3. Structure: PasswordEntry . . . . . . . . . . . . . . 6 61 5. Demonstration . . . . . . . . . . . . . . . . . . . . . . . . 7 62 6. Normative References . . . . . . . . . . . . . . . . . . . . 8 63 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 65 1. Definitions 67 1.1. Requirements Language 69 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 70 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 71 document are to be interpreted as described in RFC 2119 [RFC2119]. 73 2. Introduction 75 The Mathematical Mesh is a personal PKI that permits a user to 76 connect multiple devices to a 'personal profile' through which 77 application information is shared between the connected devices. All 78 Mesh communications are secured through a combination of end-to-end 79 security to protect confidentiality and integrity and transport 80 security to provide protection against traffic analysis. 82 A full description of the Mathematical Mesh architecture is to be 83 found in [draft-hallambaker-mesh-architecture-01] 85 This document describes a proposed design for a demonstration of 86 using the Mesh to provide a cloud based password manager for 87 connected Web browsers. The approach may be readily extended to 88 support management of Web bookmarks. 90 3. Password Management 92 Alice decides to use the Mesh to manage her Web usernames and 93 passwords. 95 She creates two accounts: 97 o 99 * example.com: username 'alice', password 'secret' 101 * cnn.com: username 'alice1', password 'secret' 103 The JSON encoding of the password data is as follows: 105 { 106 "PasswordProfilePrivate": { 107 "Entries": [{ 108 "Sites": ["example.com"], 109 "Username": "alice", 110 "Password": "secret"}, 111 { 112 "Sites": ["cnn.com"], 113 "Username": "alice1", 114 "Password": "secret"}]}} 116 The JSON encoded password data is then encrypted and stored in an 117 application profile as follows: 119 { 120 "PasswordProfile": { 121 "Identifier": "MCVSI-2OAGD-AN7GS-OTHBS-QHELX-AJCDO-A", 122 "EncryptedData": { 123 "protected": " 124 ewogICJhbGciOiAiQUUxMjgifQ", 125 "iv": " 126 LIRu00HQBv5nwEjxJfQVoQ", 127 "ciphertext": " 128 Fz39PhXGD38YAwzR_kL3VpundLNTamIkVWGcpuJF6397MGb57wXkrZoxYXLUsKRS", 129 "recipients": [{ 130 "Header": { 131 "kid": "MCXAL-463WQ-QKFAO-TTT3V-MEVW6-AJ2EE"}, 132 "encrypted_key": " 133 bvmF3YPt8ZnKDSPuUqzb9WC7aR0AC3XvozUq6fln5jXXoWzpeFBbHItBrN5PZ2MM 134 vxO-UQ3t0a5eLsQ8tAw8K3c1IDXbsFgTjnZ3GNUbFzD0SfU1L6twmhDHkxdN9gGC 135 a79GBFwc6ZD_4vNz9uANqSQptkvCTTDnCHnEooMoj2_gQE5tR5Oc7BSPm47RxBeR 136 I-CuyY7QhdyhrJNqgZm8X67Njy4fakMnCkwT-d3QnGY5tFWtrw42_9d7V3mXorLZ 137 IOE3KBJxteXiR-KUV6itlYfQVx6D-8oYaL1Ha_u7epIU24ivo9ilQZ8Av0ybg5pl 138 O619p9YPdRcrEfgUsRDMuA"}, 139 { 140 "Header": { 141 "kid": "MAWTR-QKK46-5DY3M-2UD2W-BR2MX-CAE2E"}, 142 "encrypted_key": " 143 GuRfv5is-QA66JIk-iFxNeOOeOdST6qYUm480JjKCtB0hJ2g6ArnvPuFCNykNNJ5 144 ui8YPlbI5hD1lpGocVR3EVZu6TI65ENN-5uecZ0mdcRrfQZBxvuzu3osAZWOgvoB 145 79Pk79skRfS6sZJ7Ph7NQwLXVOupmNkk0TrZbYWQgUc0SYufPcCZ1bgQT1gixuOB 146 xl-oqFB74Sv_rkpRMIl2SNGFohMIDHazHJUd0m0DUARqYL_-rdxKZC9PCodRYYhl 147 fNXJi3vgzu5fllxiSa21vma2PmVz9ERhepZebYkYJl2BrbF6bcen2wOGyGvx_1FP 148 qkKq6RJ2LSTikmt03JoG5g"}]}}} 150 As we saw earlier, Alice really needs to start using stronger 151 passwords. Fortunately, having access to a password manager means 152 that Alice doesn't need to remember different passwords for every 153 site she uses any more. 155 In addition to offering to use the Mesh to remember passwords, a Web 156 browser can offer to automatically generate a password for a site. 157 This can be a much stronger password than the user would normally 158 want to choose if they had to remember it. 160 Alice chooses to use password generation. Her password manager 161 profile is updated to reflect this new choice. 163 { 164 "PasswordProfilePrivate": { 165 "AutoGenerate": true, 166 "Entries": [{ 167 "Sites": ["example.com"], 168 "Username": "alice", 169 "Password": "secret"}, 170 { 171 "Sites": ["cnn.com"], 172 "Username": "alice1", 173 "Password": "secret"}]}} 175 Alice is happy to use the password manager for her general Web sites 176 but not for the password she uses to log in to her bank account. 177 When asked if the password should be stored in the Mesh, Alice 178 declines and asks not to be asked in the future. 180 { 181 "PasswordProfilePrivate": { 182 "AutoGenerate": true, 183 "Entries": [{ 184 "Sites": ["example.com"], 185 "Username": "alice", 186 "Password": "secret"}, 187 { 188 "Sites": ["cnn.com"], 189 "Username": "alice1", 190 "Password": "secret"}], 191 "NeverAsk": ["bank.com"]}} 193 3.1. Bookmark Management 195 The use of the Mesh to store bookmarks is an obvious extension to use 196 of the Mesh as a password manage. The principal differences being 197 that the privacy concerns are somewhat less critical than storing 198 credentials and a bookmark file is likely to be considerably longer 199 than a password file. 201 The principal design challenge in adding bookmarks is working out how 202 to provide a convenient interface to help the user manage their 203 bookmarks. A hierarchical list of folders quickly becomes cluttered. 205 4. Application Schema 206 4.1. Password Application Profile Objects 208 4.1.1. Structure: PasswordProfile 210 o 212 * Inherits: ApplicationProfile 214 Stores usernames and passwords 216 [None] 218 4.1.2. Structure: PasswordProfilePrivate 220 AutoGenerate: Boolean (Optional) 222 If true, a client MAY offer to automatically generate strong (i.e. 223 not memorable) passwords for a user. A user would not normally 224 want to use this feature unless they have access to Mesh password 225 management on every device they use to browse the Web 227 Entries: PasswordEntry [0..Many] 229 A list of password credential entries. 231 NeverAsk: String [0..Many] 233 A list of domain names of sites for which clients MUST NOT ask to 234 store passwords for. 236 4.1.3. Structure: PasswordEntry 238 Username password entry for a single site 240 Sites: String [0..Many] 242 DNS name of site *.example.com matches www.example.com etc. 244 Username: String (Optional) 245 Case sensitive username 247 Password: String (Optional) 249 Case sensitive password. 251 5. Demonstration 253 A demonstration of using the Mesh to manage Web browser passwords is 254 described. 256 The end goal in developing the Mesh application protocols is to 257 encourage application providers to provide native support for the 258 Mesh rendering extensions obsolete. Such implementation is likely to 259 be best encouraged through provision of a reference library in C. 261 I propose implementation of a demonstration as follows: 263 Platform Windows 265 Browser: Chrome 267 Approach: 269 Integration to browser features to be supported by platform 270 independent extension module 272 Mesh integration to be provided by a platform specific executable 273 written in C. 275 For initial testing / canned demo purposes, the Mesh integration 276 module will be a 'stub' that access a data file at a defined location 277 on disk that contains the PasswordProfilePrivate data structure. The 278 task of synchronizing data with the Mesh will be performed using the 279 Mesh profile management client. 281 Further development: 283 Implementation of the production extension by modifying the platform 284 specific executable. 286 Support for macOS by implementing a Mac specific platform executable 288 Support for Linux by implementing a Mac specific platform executable 289 This approach allows the platform specific extensions to be tailored 290 to the cryptographic key management capabilities offered by each 291 platform. For example, the use of a TPM to protect private keys on 292 Windows or the Keyring mechanism on macOS. 294 6. Normative References 296 [draft-hallambaker-mesh-architecture-01] 297 "[Reference Not Found!]". 299 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 300 Requirement Levels", BCP 14, RFC 2119, 301 DOI 10.17487/RFC2119, March 1997. 303 Author's Address 305 Phillip Hallam-Baker 306 Comodo Group Inc. 308 Email: philliph@comodo.com