forked from jdkelleher/dcc
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathMilestones
More file actions
99 lines (77 loc) · 3.75 KB
/
Milestones
File metadata and controls
99 lines (77 loc) · 3.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
Version 0.1 milestones:
- server has two database tables
- encrypted credentials and metadata
- client certificates
- database is kept extra simple, e.g. ndbm
- database changes handled outside the server, it detects the file changed by timestamp
- credentials are encrypted in the database using a symetric cipher
- the cipher key is held in server's memory
- in test, the cipher key comes from a config file
- in production, the cipher key comes from a human.
- initial server implementation in perl, so we can have taint
- cli client
- initially in perl
- config file, global with cmd line flag
- client certificate from config file or cmd line flag
- returns credential on stdout
- only needs to support store and retreive
- runs in userspace, as user
- communication is via TLS and https-like protocol
- clients authenticate using per-user, possibly per-app x509 client certificates
- certificate management is manual
- clients request a credential by unique identifier
- names are arbitrary strings, but recommend a tuple naming scheme
- e.g. "hostname,user,application" or "ID,Resource"
- tuple should be simple but support collision avoidance for dupe names
- recommend avoiding shell metacharacters
- server always returns something
- no access controls yet
Version 0.2 milestones:
- introduce access controls
- may group credentials for access management
- seperate table for access controls?
- server enforces per credential access rules for client host and client user
- server always returns something, but it may be "access denied".
- keep simple, 1 access administrator for now
Version 0.3 milestones:
- expand storage options, e.g. sqlite, Tie::Hash, etc
- decide on replication strategy - in app layer or offload to db
- decision will riple to future milestones
- multiple servers, one master, N replicas
- changes are propagated from master to replicas manually
- Changes must be introduced at the master
- the servers do not share the cipher key between them
- some way to tell master to add/update/delete credentials on the fly
- enhance access controls
- access control by time of day/week
- hierarchical access administration / delegation
- multiple access administrators
Version 0.4 milestones
- automatic data replication
- no single master, all peer servers vote/agree on replication
- automatic key replication between servers? Is this secure?
- expand storage options if not already done for replication - mysql, postgres, reak, redis, etc
****
**** Should be ready for non-critical use here. ****
****
Version 0.5 milestones
- optional client agent
- maintains list of responding servers, sorted by speed
- handles retries
- simplfies client certificate management
Version 0.6 milestones:
- auto-change credentials
- timeout credentials
Version 0.7 milestones:
- optional double encryption flag where credential must be decrypted a second time by key on client
- review design decisions and decide if rewites are necessary, e.g.
- rewrite server in C, so we can control key memory paging, and obfuscate key memory
- rewrite client in C, so we can control memory paging, and obfuscate memory
- rewrite agent in C, so we can control memory paging, and obfuscate memory
- add milestones as appropriate
- consensus on Version 1.0 goals
Version 0.8 milestones:
- To Be Determined
****
**** Should be ready for robust use here. ****
****