ARPA2.net projects overview
ARPA2.net is a playground for people that love the internet. We develop tools to repopulate a decentralised global internet that offers security and privacy by design. An Internet that treats its end users as full-blown citizens, and not as milking cows.
You shouldn't have anything less!
The practical projects on this site arose from our architectural thinking on InternetWide.org. On this blog we discuss what it takes to make the internet live up to its full potential. Where we explain our motivations in detail.
You are more than welcome to join us, regardless of who you are. It might be crazy to try to rebuild a global information infrastructure from the ground up, but it is also a lot of fun!
Some of our projects
TLS Pool -- better control over TLS security
Status: Active development since June 1st, 2014.
Our software makes internet connections for us all day, and shielding nomadic users and unpredictable services against even the most common external attacks is pretty challenging. Transport Layer Security (TLS) was designed for this purpose, but more often than not it users do not get the protection they deserve. Cryptography may not be too difficult to get started with, but it certainly is tough to completely lock down. How do we protect and monitor all those connections, and make sure that no software is left behind in the arms race - exposing users and their systems to information leaks or worse?
More info on TLSPool
TLS-KDH -- Kerberos combined with Diffie-Hellman, for use over TLS
Status: Active development since June 1st, 2014.
When we setup an identity provider, it will use the commonly used infrastructural component Kerberos, in some form. Many protocols support Kerberos for single sign-on, but many others don't. One of the most dramatic cases is HTTP, for which no good solution exists. TLS-KDH integrates Kerberos into TLS, and effectively makes Kerberos authentication available to a large number of protocols; and it could help to get more implementations support Kerberos through a SASL EXTERNAL procedure (which is more commonly supported than SASL GSSAPI).
More info on TLS-KDH
Realm Crossover -- Access remote services with your home identity
Status: Exploring; may be related to TLS-KDH active development.
An identity provider for a local security realm is immensely useful, as it enables central organisation of users and machines; furthermore, this management could be outsourced to a domain hosting party. But the real value of secure use of the Internet is unleashed when crossover to other realms is possible. So the task we set ourselves here is to create links between identity providers and remove authorisation services, and to permit remote entities to verify locally defined user@domain.name network identities before deciding whether they are welcome ("have an account") for access to a remote resource.
More info on Realm Crossover
SteamWorks -- Live configuration across unreliable networks
Status: Active development since June 1st, 2014.
This project identifies and implements network components for the (semi-)central configuration of systems and the subsequent distribution of configuration information across potentially unreliable networks. When these networks are up and running, the information is spread in near realtime ("live updates") and if not then isolated nodes continue on the last-known-good configuration. This is intended to support a central controlling node with independentely managed satellites to provide services.
More info on SteamWorks
SNItch -- the SNI-based Switch
Status: Proof of concept released, no current activity.
Server Name Indication is an internet standard to describe how to use secure connections for different sites from a single setup. The SNItch tool switches incoming TLS connections based on the SNI contained in them. It is assumed that the full SNI extension fits in the first record transmitted.
More info on SNItch
Reservoir -- Stashing and Sharing your Documents and Media
Status: Proof of concept released, no current activity.
This project deals with an easy-to-search personal "stash" of documents, with incoming and outgoing queues that support interaction with others over various mechanisms.
We have created a proof-of-concept for one specific protocol with krsd, a RESTful document store with Kerberos authentication over SPNEGO. Ideally, we would replace SPNEGO with the TLS-KDH mechanism after getting that adopted.
More info on Reservoir
Global Directories
Status: Design phase. See also SteamWorks.
In short, a global directory is a way of retrieving contact information from others, using standard technology, so you can employ automatic tools that download and update contact information without manual intervention - or without any third parties snooping into your private or business social environment. Moreover, you can use the same technology to share any relevant information (such as keys for protection of your email) to anyone.
More info on Global Directories