Problem: I forgot to push some files
Problem: There is no way to register PK <-> user
Solution:
- Implement a challenge-response registration phase to verify PK existance
- Implement a registration phase given valid response
- Implement a client that demonstrates registration capability
Also included in this commit:
- Persist the data on the filesystem (prototyping ftw!)
- Encode sigs as Base64 as is done with other binary types
- Add tests for said encodings, etc
Problem: README.md is outdated
Solution:
- Mention that we have a kdf now in README
- Catch up a little bit with what we have done so far
Problem: can't send detached signatures around
Solution:
- Add instances for JSON serialisation for Signature type
- Reuse DoAuth.Json as much as possible, but write a hacky FromJSON
instance. (TODO Generalise DoAuth.Json)
Next up:
- Write tripping tests for this serialisation
- Use this serialisation to encode Post request body in phase 2 of
registration
Problem: Need B64 to send signed challenge back
Solution:
- Abstract away b64encode/decode for To/FromJSON instances
(DoAuth.Json)
- Specify the API a little bit more for DoAuth.Server
- Add test to figure out what should be the logic of signing a
challenge
Up next:
- Implement To/FromJSON instance for Signature
Problem: No HTTP server
Solution:
- Implement a dummy HTTP server
- Reexport its `main` function from our (currently only) `app`
We probably should rename our currently only app to `doauth-server`,
because we'll implement a Haskell client for functional testing
purposes.
Problem: No HTTP server for interact. protocol
Solution:
- Start servant API to support interactive protocol
- While working on dummy endpoints, realise that to pass Challenge
object (or any other object containing unprintable characters)
to JavaScript, we will need to encode it into a data format that
supports raw byte transfer.
- Choose Base64 as one such format.
- Tweak Challenge to have From / To JSON instances that work with
Base64
- Write roundtrip (tripping) test
- Write Challenge byetsize test
Problem: real crypto is required for safe system
Solution:
After patching haskell-crypto libraries to allow for
- Seeded signing key derivation
- Detached signatures support
We were finally able to
- Eliminate encryption terms from PKC (because in libsodium algorithms
for signing and encryption are different and picked like this
for a reason)
- Remove IO from everything that's really pure (or should be pure if
libsodium is correct)
- Pick params for pwhash that are reasonable currently
Problem: No way to generate keypairs in pkc
Solution:
- Use newly implemented function `seededKeypair` from `NaCl`
- Use jonn's srht fork for that
- Update type signatures accordingly
- Update dummyPkc
- Update Crypto.Client's mkKeypair / rmkKeypair
Problem: Challenges are needed to issue claims
Solution:
- Add DoAuth.Crypto.Server module
- Implement 8-byte challenge generation with generate from Crypto.Nonce
Also included in this commit:
- Use git version of haskell-crypto instead of hackage (to get access
to Crypto.Nonce module)
- Add some more ideas to README.md, scoping the project better
Problem: no crypto for DID-esque implementation
Solution: before introducing real cryptography implementation based on
libsodium, add dummy cryptography interface.
It's important for testing purposes, interfaced definition and to be
able to later on swap one cryptographic library for another one.
Problem: auth in 2020 is broken DID looks OK
Solution:
- Start a prototype Haskell implementation inspired by the ideas of DID
standard working draft
- Aim for the prototype to be consisting of
- KDF keypair generation solution
- DID document storage in a central identity tracking server
- Web interface demonstrating sign on
- SSO demo that shows how a user can use do-auth to authenticate with
two services, then each service reasons whether they want to
allow the identity holder in or not
These are the overall goals for the project, don't treat the words I
used in this commit message as something with precise semantics, I'm
still exploring DID standards and figuring out proper architecture.