is a playground for people that love the internet. We develop tools to repopulate a decentralised global internet that offers security and privacy by design. An Internet that treats its end users as full-blown citizens, and not as milking cows.

You shouldn't have anything less!

The practical projects on this site arose from our architectural thinking on On this blog we discuss what it takes to make the internet live up to its full potential. Where we explain our motivations in detail.

You are more than welcome to join us, regardless of who you are. It might be crazy to try to rebuild a global information infrastructure from the ground up, but it is also a lot of fun!

Some of our projects

TLS Pool -- better control over TLS security

Status: Active development since June 1st, 2014.

Our software makes internet connections for us all day, and shielding nomadic users and unpredictable services against even the most common external attacks is pretty challenging. Transport Layer Security (TLS) was designed for this purpose, but more often than not it users do not get the protection they deserve. Cryptography may not be too difficult to get started with, but it certainly is tough to completely lock down. How do we protect and monitor all those connections, and make sure that no software is left behind in the arms race - exposing users and their systems to information leaks or worse?

More info on TLSPool

TLS-KDH -- Kerberos combined with Diffie-Hellman, for use over TLS

Status: Active development since June 1st, 2014.

When we setup an identity provider, it will use the commonly used infrastructural component Kerberos, in some form. Many protocols support Kerberos for single sign-on, but many others don't. One of the most dramatic cases is HTTP, for which no good solution exists. TLS-KDH integrates Kerberos into TLS, and effectively makes Kerberos authentication available to a large number of protocols; and it could help to get more implementations support Kerberos through a SASL EXTERNAL procedure (which is more commonly supported than SASL GSSAPI).

More info on TLS-KDH

Realm Crossover -- Access remote services with your home identity

Status: Exploring; may be related to TLS-KDH active development.

An identity provider for a local security realm is immensely useful, as it enables central organisation of users and machines; furthermore, this management could be outsourced to a domain hosting party. But the real value of secure use of the Internet is unleashed when crossover to other realms is possible. So the task we set ourselves here is to create links between identity providers and remove authorisation services, and to permit remote entities to verify locally defined network identities before deciding whether they are welcome ("have an account") for access to a remote resource.

More info on Realm Crossover

SteamWorks -- Live configuration across unreliable networks

Status: Active development since June 1st, 2014.

This project identifies and implements network components for the (semi-)central configuration of systems and the subsequent distribution of configuration information across potentially unreliable networks. When these networks are up and running, the information is spread in near realtime ("live updates") and if not then isolated nodes continue on the last-known-good configuration. This is intended to support a central controlling node with independentely managed satellites to provide services.

More info on SteamWorks

SNItch -- the SNI-based Switch

Status: Proof of concept released, no current activity.

Server Name Indication is an internet standard to describe how to use secure connections for different sites from a single setup. The SNItch tool switches incoming TLS connections based on the SNI contained in them. It is assumed that the full SNI extension fits in the first record transmitted.

More info on SNItch

Reservoir -- Stashing and Sharing your Documents and Media

Status: Proof of concept released, no current activity.

This project deals with an easy-to-search personal "stash" of documents, with incoming and outgoing queues that support interaction with others over various mechanisms.

We have created a proof-of-concept for one specific protocol with krsd, a RESTful document store with Kerberos authentication over SPNEGO. Ideally, we would replace SPNEGO with the TLS-KDH mechanism after getting that adopted.

More info on Reservoir

Global Directories

Status: Design phase. See also SteamWorks.

In short, a global directory is a way of retrieving contact information from others, using standard technology, so you can employ automatic tools that download and update contact information without manual intervention - or without any third parties snooping into your private or business social environment. Moreover, you can use the same technology to share any relevant information (such as keys for protection of your email) to anyone.

More info on Global Directories