-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #30 from arpa2/validation
Validation
- Loading branch information
Showing
31 changed files
with
4,051 additions
and
102 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,187 @@ | ||
Configuring TLS Pool over SteamWorks | ||
==================================== | ||
|
||
> *This document details what data the TLS Pool needs to be able to pull from | ||
> SteamWorks, and it describes how this leads to a general format that | ||
> SteamWorks should support. The data structures are considered flexible, | ||
> because Pulley can mix & match what it finds in various parts of the LDAP | ||
> structures.* | ||
Information need for the TLS Pool | ||
--------------------------------- | ||
|
||
- The TLS Pool needs to be able to fill its databases. The various database | ||
must be kept as independent as they currently are. | ||
|
||
- The settings are meant to be added to any local settings that may have been | ||
created in the databases by the TLS Pool user. It may be useful to ban | ||
certain values, but this does not seem easily possible. | ||
|
||
- This comes down to the following data sets: | ||
|
||
- *remoteid to localids.* This mapping is used to decide what local | ||
identity to present to a remote. The remote is generally not represented | ||
by a Domain-or-Network-Access-Identifier or DoNAI, but by a DoNAI | ||
Selector (see http://donai.arpa2.net). A trust validation expression | ||
may be included for each remote identity DoNAI Selector. | ||
|
||
- *localid to credentials.* This mapping is used to store various | ||
credential forms, such as certificates, PGP public keys, and so on. The | ||
PKCS \#11 URIs will be included. A trust validation expression may be | ||
included for each local identity DoNAI. | ||
|
||
- *trust settings.* This mapping is used to create trust bases, such as | ||
root certificates and pinning information. Each trust setting includes | ||
a trust validation expression. | ||
|
||
General information model for SteamWorks | ||
---------------------------------------- | ||
|
||
- SteamWorks is meant to store configuration information in LDAP. | ||
|
||
- Anything described here for SteamWorks can be used in other LDAP contexts as | ||
well. | ||
|
||
- Configuration information should use existing LDAP structures whenever | ||
possible. | ||
|
||
- Objects in LDAP are defined to hold one atomic unit of configuration. | ||
|
||
- Units of configuration may be combined as desired, for instance | ||
hierarchically. | ||
|
||
- There are likely to be “configuration sections” and “options with values”. | ||
|
||
- Access control will be exercised to reveal configuration only to desirable | ||
parties. | ||
|
||
Specific model for TLS Pool | ||
--------------------------- | ||
|
||
- Configuration information is more accurate when poored into dedicated | ||
structures | ||
|
||
- Access control is easier to apply on dedicated data; and this really helps | ||
security | ||
|
||
- Those TLS Pool specifics are constrained to an in-house /controlled | ||
environment | ||
|
||
- So… we are going to make special definitions for the TLS Pool in LDAP | ||
|
||
LocalID | ||
------- | ||
|
||
We represent the `localid.db` with an LDAP object per entry; multiple entries | ||
may share one key so we need to be somewhat careful; we cannot just use the | ||
local identity to identify the LDAP object. We can however add extra attributes, | ||
in the DN or even in the RDN of the object, to signify the entry in the | ||
database; specifically, `credentialType` and `supportedRole`, and perhaps more | ||
in future incarnations of this schema. During updates and removals, clients | ||
should look for entries that match the entire RDN, with the exception of local | ||
additons such as derived flags. This problem does not exist for the | ||
`disclose.db` whose entries can be enumerated as a list of DoNAIs. | ||
|
||
|
||
|
||
We will not define a syntax and matching rules for DoNAI and DoNAI Selector, as | ||
in | ||
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
# syntax ( TODO | ||
# DESC 'DoNAI, Domain or Netwerk Access Identifier, see http://donai.arpa2.net' ) | ||
# syntax ( TODO | ||
# DESC 'DoNAI Selector, see http://donai.arpa2.net/selector.html' ) | ||
# matchingrule ( TODO | ||
# DESC 'Compare if a DoNAI matches a DoNAI Selector' | ||
# SYNTAX TODO ) | ||
# matchingrule ( TODO | ||
# DESC 'Compare if a DoNAI Selector matches a DoNAI' | ||
# SYNTAX TODO ) | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
Instead, we will treat the DoNAI as an IA5String and restrict the syntax through | ||
comments. | ||
|
||
|
||
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
attributetype ( 1.3.6.1.4.1.44469.666.11.443.1.1 | ||
NAME 'tlsPoolCredentialType' | ||
DESC 'Short standardised string to describe the kind of credential: x509, openpgp, openssh, krb5, srp11, ...' | ||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 # IA5String | ||
EQUALITY 1.3.6.1.4.1.1466.109.114.2 # caseIgnoreIA5Match | ||
) | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
|
||
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
attributetype ( 1.3.6.1.4.1.44469.666.11.443.1.2 | ||
NAME 'tlsPoolSupportedRole' | ||
DESC 'A role that this object can play; usually values are limited to "client" and "server" but symmetric peers may set both values using two supportedRole attributes in the same object' | ||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 # IA5String | ||
EQUALITY 1.3.6.1.4.1.1466.109.114.2 # caseIgnoreIA5Match | ||
) | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
|
||
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
attributetype ( 1.3.6.1.4.1.44469.666.11.443.1.3 | ||
NAME 'tlsPoolValidationExpression' | ||
DESC 'An expression in the validation logic of the TLS Pool' | ||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 # IA5String | ||
EQUALITY 1.3.6.1.4.1.1466.109.114.2 # caseIgnoreIA5Match | ||
SINGLE-VALUE | ||
) | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
|
||
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
objectclass ( 1.3.6.1.4.1.44469.666.11.443.1.6 | ||
NAME 'tlsPoolTrustedIssuer' | ||
DESC 'A credential that is considered trustworthy under the given validation expression' | ||
SUP distinguishedName | ||
MUST ( tlsPoolCredentialType $ tlsPoolSupportedRole ) | ||
) | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
|
||
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
objectclass ( 1.3.6.1.4.1.44469.666.11.443.1.7 | ||
NAME 'tlsPoolLocalUserCredential' | ||
DESC 'A (key,value) entry in the TLS Pool database of Local Identities' | ||
SUP pkcs11PrivateKeyObject STRUCTURAL | ||
MUST ( tlsPoolCredentialType $ tlsPoolSupportedRole ) | ||
) | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
|
||
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
objectclass ( 1.3.6.1.4.1.44469.666.11.443.1.8 | ||
NAME 'tlsPoolIdentityDisclosure' | ||
DESC 'A (key,value) entry in the TLS Pool database for Disclosure of Local Identities; the group name is in the "cn" attribute and group members are denoted as "cn=" RDN values in the "member" attributes' | ||
SUP groupOfNames STRUCTURAL | ||
MUST ( cn $ member ) | ||
) | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
|
||
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
objectclass ( 1.3.6.1.4.1.44469.666.11.443.1.9 | ||
NAME 'tlsPoolValidationRequirements' | ||
DESC 'Requirements imposed on or by the described object' | ||
AUXILIARY | ||
MUST ( tlsPoolValidationExpression ) | ||
) | ||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.