Send in your ideas. Deadline June 1, 2024

ARPA2 Steamworks

Near-instantaneous controlled configuration settings over any network

ARPA2 SteamWorks is a set of tools that co-operate to transmit more-or-less centrally controlled configuration settings over any network, and make these settings available to individual programs. Updates are passed around instantaneously when network connections are good, but the last version of the information can be used when the network temporarily degrades. The project is part of the ARPA2 project, which is engineering towards an overall architecture scalable to run a future internet that is secure by design.

The ARPA2 project logo

Configuring and provisioning TLS — trusted (root) certificates, intermediates, end-user certificates, and public keys — can be a complicated business. The ARPA2 TLS Pool project makes it simpler for third-party applications (e.g. a web browser, or a web server) to use TLS and identity information. Configuration of TLS Pool itself however is still somewhat complicated: it provides a number of databases for configuring its behavior -- that is, the way it provides TLS and identity support to applications and the parameters of its outgoing TLS connections -- but filling those databases needs an API and a user interface.

ARPA2 SteamWorks is about creating machinery for distributing configuration information through LDAP and using that for local provisioning through the Pulley (a local daemon) and Pulley Plug-ins (used to configure specific applications, e.g. TLS Pool). The configuration of the Pulley is done through a Pulley Script (which can, in turn, be distributed through LDAP).

The Pulley Plug-in mechanism is generic and in the longer term will evolve more plug-ins for configuring other (sub)systems, e.g. writing ISC DHCPd configuration or Local Unbound configuration files.

The project will make it possible to connect the complete configuration of TLS Pool to the SteamWorks machinery by building a SteamWorks Pulley Plug-In and Pulley Scripts that can fully configure TLS Pool. This includes defining all of the configuration elements for TLS Pool in LDAP schemata.

SteamWorks also provides a framework for writing web-based front-ends to the LDAP configuration though the Crank component of SteamWorks. In order to provide the user interface for TLS Pool provisioning, we will construct that front-end (web application). This gives us a mechanism for filling the TLS Pool configuration in LDAP, distributing it to the Pulley through LDAP, and then locally turning it into configuration for provisioning TLS for applications. (An extension of this mechanism would involve generically associating Some parts of this system are already built as proofs-of-concept: there is a stub Pulley Plug-in for configuring the trusted root certificates in TLS Pool, as well as a rudimentary web-interface for filling those in in LDAP. This project aims to turn those proofs-of-concept into fully functional configuration tools.

Earlier work on ARPA2 Steamworks was funded with a joint subsidy from NLnet and the programme "[veilig] door innovatie" from the Netherlands government.

For a complete overview of other projects within ARPA2 visit the ARPA2 website.

TLS-KDH is supported by NLnet and the Internet Hardening Fund.