[Home]|[Architecture Docs]|[CA Responsibilities]

Proposed Security Infrastructure

1. X.509 Certificate Based authorization
   1. Distribute several things with software
      1. Copy of root certificate (for verifying other certificates)
      2. Public key
   2. On installation
      1. User creates a DN (Distinguished Name, a name unique on our system)
         1. Email address? Perhaps a username that they make up. I doubt people want their emails available to anybody who uses the system.
      2. Certificate is created and signed by CA. Private key is also created.
      3. Certificate and private key are sent back to user (should be encrypted via PGP or similarly secure method)
      4. Copy of certificate is cached on the server as part of user profile.
   3. When a user tries to sign into a server
      1. Server checks certificate against root certificate
      2. Server checks against list of revoked certs (updated occasionally, say 1/day)
      3. Server checks to see if user has logged in before
         1. If yes, does what it can with the permissions it has stored for that user
      4. If no, puts user into it's database at a default permission level
2. CA's role in DNS
   1. On server installation
      1. User is asked for name of server
         1. Name is appended with their username to avoid naming conflicts
      2. Name of server is registered with CA (checks for further collisions)
         1. Server gives dynamic DNS name to server based on name reported. Server is responsible for occasionally updating the CA with its public IP and what port it is currently running on. (On boot, and daily?) All private IP DNS will be handled by a Zeroconf system.
3. CA's role as web server
   1. User goes to www.waycooldmp.com (our webserver) and clicks login, they can then access their profile
      1. Obtain certificate for authentication.
      2. Obtain list of collections and playlists.
   2. Flash player (or Java Applet), run off our webserver, utilizes their profile just like any other client would