-
Notifications
You must be signed in to change notification settings - Fork 1
Security
CORVID hand-waves many questions about access control by subsuming the problem space into the narrative model. Each user has complete absolute control over their own canon. Group canon only exists in so much as any group agrees that it does. That is, all reality in CORVID is subjective. The O in CORVID is associated strongly with the I and D: objectivity is interpreted and distributed.
Yes, yes, I was getting to that.
The security analysis is all the more complex because of the many layers CORVID comprises.
CORVID requires one externally (non-localhost) open port: it exposes itself to non-local users and engines serving remote domains to allow cooperation. Those ports are standard HTTPS services and can be secured in all the usual ways. The security of the host boils down to the security of the engine itself:
Engines make two kinds of connections: user and domain.
User connections are (currently) localhost-only, so to access your engine, someone has to have the ability to establish connections from within your machine. These days there are very few multi-user hosts in the world and one wouldn't normally run a CORVID domain on one. If this becomes a problem in the future we will add an additional authorization layer to protect this interface.
Domain relationships are created when a user asks a remote domain to sign their certificate request and then installs that signed certificate in their local domain. That cert is used to establish TLS connections between the domains. At this point the usual best practices for protecting a TLS service apply, so CORVID is not making things any worse. The work associated with signing the CSR is commensurate with the work associated with generating the request.
Once the seriousness of the client has been established by them submitting a CSR and using the signed cert to connect back, policy negotiations can take place.
A single open port provides both the CSR facility and the API for domain communication after cert negotiations. While this could be a rich attack surface, the industry has ample understanding of the issues involved.