Shape Up Pitch: WebDAV Authentication and Authorization for backspaces.agentscript.org

Problem

We need a robust, decentralized authentication and authorization mechanism for the WebDAV server at backspaces.agentscript.org that integrates with our Digital Acequia framework. The solution must allow domain/subdomain owners to authenticate using their PKI keys and mount directories securely based on their domain or subdomain.

Additionally, the system should support delegation of access permissions by domain/subdomain owners to other users. For instance, backspaces (the username for Owen Densmore) may later grant read/write permissions to other users by issuing access tokens.

Appetite

We want to implement this feature as a test case within a 4-week cycle, ensuring:

• Secure authentication using PKI and DNS TXT records.
• Dynamic directory mounting based on domain/subdomain (e.g., backspaces.agentscript.org).
• Clear and manageable Access Control Lists (ACLs) for authorization.
• Support for permission delegation by domain owners via access tokens.
• A scalable foundation that can be extended to other domains in the future.

Solution

Key Components

1. Authentication via PKI and DNS TXT Records:
   • Domain/subdomain owners publish their public key in a DNS TXT record.
   • The WebDAV server retrieves the public key from DNS and verifies the client’s identity using a signed challenge-response mechanism.
2. CNAME-Based Directory Mapping:
   • Use the DNS CNAME entry to associate the subdomain backspaces.agentscript.org with a specific WebDAV server.
   • Dynamically mount a directory named after the subdomain (e.g., /backspaces.agentscript.org/).
3. Authorization with ACLs:
   • Set up directory-specific ACLs to control actions (e.g., READ, WRITE, DELETE, LIST) for authenticated users.
   • Support delegation of permissions, where domain owners can grant other users read/write access.
4. User-Managed Public Keys:
   • Users store their public keys in files within directories on their own subdomains/domains.
   • For example, a user could upload their public key to /public_keys/user1.pub on their domain.
5. Access Tokens for Delegation:
   • Domain owners like Owen Densmore can issue access tokens to other users.
   • Access tokens specify permissions (e.g., READ, WRITE) and can have expiration times.
   • The WebDAV server validates tokens during authentication to enforce delegated permissions.
6. Logging and Auditing:
   • Maintain logs of all authentication attempts and directory operations for auditing and debugging.

Steps to Implement

1. DNS Configuration:
   • Add a DNS TXT record for backspaces.agentscript.org with a test public key.
   • Create a CNAME record pointing to the WebDAV server.
2. WebDAV Server Enhancements:
   • Implement DNS-based public key retrieval.
   • Add a challenge-response mechanism for authentication.
   • Integrate a directory-mounting mechanism based on the subdomain.
3. Access Control:
   • Configure basic ACLs for backspaces.agentscript.org to allow READ and WRITE operations for authenticated users.
   • Add support for permission delegation using access tokens.
4. Public Key Management:
   • Develop functionality for users to upload and manage their public keys on their subdomains/domains.
   • Ensure the server can retrieve and verify keys during access delegation.
5. Access Token Implementation:
   • Design a token issuance and validation mechanism.
   • Ensure tokens include permissions and expiration metadata.
6. Testing and Debugging:
   • Use test clients to validate authentication, delegation, and directory mounting.
   • Perform load testing to ensure scalability.
   • Log and audit all operations for review.

Rabbit Holes

• DNS Propagation Issues: Changes to TXT and CNAME records might take time to propagate, delaying testing.
• Edge Cases in Authentication: Handling expired keys or incorrectly formatted TXT records.
• Complex ACL Configurations: Balancing simplicity and flexibility for permissions management.
• Token Expiration and Revocation: Designing a seamless way to manage and revoke expired or compromised tokens.

Risks

• Security Risks: Any bugs in the PKI, token, or authentication flow could compromise security.
• Implementation Overhead: Integrating DNS, WebDAV, PKI, and token systems may require additional development time.
• Scalability: Ensuring the solution is efficient and scales to multiple domains/subdomains.

Success Criteria

• Successful authentication for backspaces.agentscript.org using a DNS TXT public key.
• Dynamic mounting of a directory /backspaces.agentscript.org/ on the WebDAV server.
• ACLs enforced for all operations, with support for permission delegation via access tokens.
• Users can upload and manage their public keys on their domains/subdomains.
• Extendable design that can be replicated for other domains in future cycles.

Team

• Development: Lead developer for WebDAV server integration.