Lumions Working Group D. Shearer Internet-Draft R. De Smet Intended status: Informational C. Calvelli Expires: 4 August 2022 LumoSQL 31 January 2022 Lumions: Portable, Private, Secure, Unique, Updatable Data Primitives draft-shearer-desmet-calvelli-lumionsrfc-00 Abstract This memo defines Lumions, a new kind of secure, unique data encapsulation primitive designed for reliable, fine-grained storage and movements of arbitary data between arbitary storage mechanisms and across arbitary networks. Lumions are also compatible with decentralised, distributed key management. To illustrate the main use case, Lumions would not be needed if JSON had sophisticated privacy and encryption features, with a single unique JSON namespace and a standard way of referring to other JSON objects. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 4 August 2022. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components Shearer, et al. Expires 4 August 2022 [Page 1] Internet-Draft lumionsrfc January 2022 extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Feature Levels . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Mandatory Minimum Requirements . . . . . . . . . . . . . 4 3.2. Optional: Key Authority . . . . . . . . . . . . . . . . . 5 3.3. Optional: Versioning . . . . . . . . . . . . . . . . . . 5 3.4. Optional: Access Control . . . . . . . . . . . . . . . . 5 3.5. Optional: Checksums . . . . . . . . . . . . . . . . . . . 5 4. Properties of Lumions . . . . . . . . . . . . . . . . . . . . 5 5. Description of Lumions . . . . . . . . . . . . . . . . . . . 6 6. Lumions and Key Management . . . . . . . . . . . . . . . . . 7 7. Goals and Constraints . . . . . . . . . . . . . . . . . . . . 8 8. Lumion Data Format . . . . . . . . . . . . . . . . . . . . . 8 9. Lumion Data Formal ABNF Specification . . . . . . . . . . . . 9 10. Lumion UUID Format . . . . . . . . . . . . . . . . . . . . . 10 11. List of Lumion Ciphers, Signatures and Hashes . . . . . . . . 10 12. Example Use Cases . . . . . . . . . . . . . . . . . . . . . . 10 12.1. Data Tracking and Portability . . . . . . . . . . . . . 11 12.2. Time Travelling Data for Snapshotting . . . . . . . . . 11 12.3. Non-Fungible Token (NFT) Applications . . . . . . . . . 11 12.4. Online Backups . . . . . . . . . . . . . . . . . . . . . 11 13. Performance Considerations . . . . . . . . . . . . . . . . . 11 14. Security Considerations . . . . . . . . . . . . . . . . . . . 11 15. Related Work . . . . . . . . . . . . . . . . . . . . . . . . 12 16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 16.1. Content-type registration for 'apoplication/lumion' . . 12 17. Informative References . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction A Lumion is a one-dimensional array of data signed with a public key which MUST contain a checksum, a version number and a universally unique identifier. A Lumion is binary data and MUST be stored in network byte order. Shearer, et al. Expires 4 August 2022 [Page 2] Internet-Draft lumionsrfc January 2022 In addition a Lumion MAY be encrypted with one or more schemes defined in this standard which together implement various forms of Role-based Access Control. These schemes offer different levels of access depending on the token supplied. After being updated with a valid write access, a Lumion will have an updated checksum. The updated signature will be valid in all situations where the previous version of the signature was valid. A Lumion has keys implemented as public/private key pairs, and there can be any (or no) key management authorities. The simplest case of a key management authority is where a program on a device creates a Lumion, making that program on that device the issuing authority. That program may subsequently be uninstalled, or the private key data it created be deleted or lost, making it a very transient key manaagement authority. Distinct from any other key management scheme users may implement, there is one specific key management authority scheme described in this RFC which stores lists of Lumion keys in an application of a public blockchain. This gives Lumions the optional ability to have a decentralised, globally distributed key authority. Situations where Lumion properties are helpful include internet- connected devices such as mobile phones; transparency requirements related to privacy; and data portability requirements between clouds. A new media type "application/lumion" is defined as a helpful hint for high-level applications. 1.1. Terminology The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this document, are to be interpreted as described in [RFC2119]. 2. Definitions Lumion Generator: software that can produce a Lumion for any supplied raw data. A Generator may be standalone or built into eg a database. A Lumion Generator must also be able to read Lumions, and is a full implementation of this RFC. Lumion Reader: is software that can access at least some data inside a Lumion, provided it has a key to do so, where a key is required by a particular Lumion. A Lumion Reader implements some of the verification and reading functionality in this RFC. Shearer, et al. Expires 4 August 2022 [Page 3] Internet-Draft lumionsrfc January 2022 Lumion Recogniser: is very simple software, perhaps a function or a script, that can detect the unique naming convention used by Lumions as defined in this RFC, and extract the universally unique identifier used by a particular Lumion. A Recogniser can extract Lumions from non-Lumion data, and search for a particular Lumion. A Recogniser will not be able to reliably determine whether any given Lumion is valid or not. Payload Data: an arbitary binary string within a Lumion of arbitary length less than 2^64 bytes. Payload Metadata: A checksum or version number specific to the Payload Data. Metadata: all data to do with access control, checksums and version numbers for the Lumion as a whole, the UUID and more. Access Control: The RBAC system implemented for Lumions, where valid users are anyone who has a valid key. A valid key can only be used to sign a Lumion if it is used for the correct purpose. For example, a read-only key cannot produce a valid signature for a Lumion after writing to it. Key Management Authority: a scheme selected by users to manage their Lumion keys. This could be any system at all, from a plain text file on a server on the internet to a Kerberos server. In the case of an embedded database library, the key management authority will often be either an individual app on the device (eg a banking app) or the device's platform-wide key management authority (eg the identity systems built into many versions of Android, and Apple phones.) Lumion Registry: One particular key management authority defined in this RFC for storing Lumion keys in a public blockchain. 3. Feature Levels 3.1. Mandatory Minimum Requirements A Lumion will always: * Have a standardised Lumion UUID * Be signed We would not expect plain text Lumions to be common, but they are valid. A plain text Lumion with a signature is no different in principle to a signed plain text MIME email. So long as the signature is valid we know that the data has not been changed. Shearer, et al. Expires 4 August 2022 [Page 4] Internet-Draft lumionsrfc January 2022 There is no requirement for a key management authority, even on a device, because it is also valid (and may sometimes be useful) for a Lumion Generator to discard all knowledge of keys once it has generated a Lumion. 3.2. Optional: Key Authority There are multiple ways of implementing a Key Authority. They are all explained in the section "Lumion Key Management". 3.3. Optional: Versioning Both payload and metadata can be versioned with 64-bit version numbers. These versions are internal versions, incremented each time the Lumion is updated and re-signed. 3.4. Optional: Access Control This is a simple version of Role-based Access Control, with a list of valid keys stored in the Lumion Metadata. 3.5. Optional: Checksums A signature is already a form of a checksum. But in addition to this overall Lumion checksum, a checksum is also used as part of the Access Control system. 4. Properties of Lumions Standardised: A Lumion can be operated on by any software that complies with this RFC. Integrity: Corruption can always be detected, at multiple levels (overall, or in the payload, or in the metadata). Uniquely Recognisable Among All Data: A Lumion will always be recognisable as a Lumion from its name-based UUID. Uniquely Identifiable Among All Lumions: A Lumion will always be unique among all Lumions due to the one-way hash part of its UUID. Secure: If there is no valid key available (because the original Lumion Generator did not store the key correctly, or the key was lost, etc) then a Lumion cannot be decrypted. Portable: Can be copied across architectures, networks, storage systems without losing or gaining any information. Shearer, et al. Expires 4 August 2022 [Page 5] Internet-Draft lumionsrfc January 2022 Non-repudiable: The original key authority might be unreliable and transient (ifor example, because the originating phone got swallowed by a diprodoton) but any Lumions generated on that phone and intended to have a common local authority will always be identifiable as having the same original source. Self-contained security: no external key authority or integrity authority is needed. Discriminated access control is provided solely from the information within the Lumion. Globally distributed namespace: Just by having a Lumion UUID, that means every Lumion is part of an ad hoc global storage system. Sequenced Internally: Since Lumions have an internal version number, anyone with copies of all version of a Lumion can view them as a time-sequenced stream. (It is possible for a Lumion to keep all previous versions of its payload within itself, although whether this is scaleable or feasible is highly application-dependent.) Sequenced Externally: Lumions have fields of Left, Right, Below and Above, sized to contain a Lumion UUID. The contents of these fields can be updated at any time, meaning that Lumions can optionally and frequently will form part of a logical structure such as a Merkle tree, thus creating a sequence that can be navigated forward/back/up/ down, depending on the structure. This sequence data can also be interpreted as time sequence data, if the Lumion Generator intended to produce that. Timestamps are not required to be assigned by the Lumion Generator for time sequence data, because if a sequence of Lumions is ordered then a Lumion Reader can interpret that according to any temporal origin and offset it chooses. Time Travelling: Sequences of either the internal or external versioning can be interpreted as snapshotted point-in-time state information. Such information can always be played back to reconstruct a view of the world at any point in time. Even where there are no timestamps, the relative versions can still be replayed in either direction. 5. Description of Lumions Any of the three types of data may be in plain text, although they usually will not be plain text because much of the value of a Lumion is in its encrypted properties. A plain text Lumion is still signed, and still has a universally unique ID. Data in a Lumion may be automatically generated by one of these kinds of processes: Shearer, et al. Expires 4 August 2022 [Page 6] Internet-Draft lumionsrfc January 2022 * cryptographic checksums * symmetric encryption * public key encryption * public key signing * one-way hashes appended to a name-based uniqueness algorithm For each of these there are multiple possible ciphers and implementation techniques. Portability requires that data is stored in Network Byte Order. 6. Lumions and Key Management There are four different levels of scope that involve key management: 1. The system within a Lumion, ie implementing access control so that a validly-signed Lumoion remains validly signed even after it has been updated by someone with a valid write key, and only allows reads by someone with a valid read or read+write key. All of that is about how the Lumion is maintained as a data artefact. These valid keys could have been generated by anyone anywhere, and stored anywhere. The Lumion neither knows nor cares. But it still has to do some degree of key management because it has list of keys and their access rights inside it. 2. How a Lumion Generator creates the Lumion in the first places and the list of keys inside the Lumion. There will also be the other half of keys to be stored somewhere (presumably inside a LumoSQL database, in a Lumion.) That incldues symmetric keys, and signatures. So this too is key management. New users, the extent to which revocation is supported, etc. I expect this will be mostly internal to LumoSQL, driven by the SQL interface (?) 3. Key management via an Authority, any authority. A LumoSQL user is building an app, and might choose to make LDAP or Active Directory or Kerberos the Authority, or an Oracle database, etc. LumoSQL doesn't know or care, only that the keys are in the right places at the right time. Will this be done through the C API, or SQL only? 4. Key management via the Lumion Registry, which is the only (and totally optional) scheme that LumoSQL is configured to support. This is the scheme I described where Lumions are stored in a blockchain, specifically Ethereum, as an implementation of a standard Ethereum smart contract. This is where we could have many billions of rows with their UUID registered and also the users with access rights registered there too. See the later section headed "Lumion Registry". Shearer, et al. Expires 4 August 2022 [Page 7] Internet-Draft lumionsrfc January 2022 7. Goals and Constraints XXXX THIS SECTION DOES NOT EXIST YET XXXX 8. Lumion Data Format A Lumion is laid out like this: +--------+-----------------+------------------------+---------+ | UUID | Metadata Block | Payload Metadata Block | Payload | +--------+-----------------+------------------------+---------+ These fields are always present in a Lumion. The UUID is described in the section "Lumion UUID Format", and is always 256 bits wide. The Metadata Block is laid out like this: +-----------+----------+-------------------------+--------------+ | Signature | Features | Payload Metadata Offset | Other Metad. | +-----------+----------+-------------------------+--------------+ The Lumion Signature is a digital signature from one of those allowed in this RFC. See the section "Lumion Ciphers, Signatures and Hashes". The Lumion Feature list is a 32-bit bitmask with values as in the following table: XXXXX MORE GOES HERE XXXXX Payload Metadata Offset is a 64-bit integer. Other Metadata contains all RBAC metadata, and some non-RBAC Metadata: * Left, Right, Below and Above pointers. These pointers are Lumion UUIDs, meaning that trees, lists and other structures can be implemented with Lumions. At least one of these fields MUST be non-zero if the External Lumion Version Count is non-zero. * List of valid Lumion Access Keys * XXXXX MORE GOES HERE XXXXX The Payload Metadata Block is laid out like this: Shearer, et al. Expires 4 August 2022 [Page 8] Internet-Draft lumionsrfc January 2022 +----------------+---------------------+------------------------+ | Payload Length | Payload Vers. Count | Other Payload Metadata | +----------------+---------------------+------------------------+ Payload Length is a 64-bit integer. Payload Version Count is a 64-bit integer. Other Payload Metadata relates to RBAC, such as Last Edited By, which is a keyid listed in the Metadata Block. XXXXX 9. Lumion Data Formal ABNF Specification A Lumion has the following ABNF [RFC5234] definition: (this is NOT valid Lumion ABNF because we're still at the high-level sketch stage. But it is quite atmospheric, don't you think? A bit like mood music.) SYSLOG-MSG = HEADER SP STRUCTURED-DATA [SP MSG] HEADER = PRI VERSION SP TIMESTAMP SP HOSTNAME SP APP-NAME SP PROCID SP MSGID PRI = "<" PRIVAL ">" PRIVAL = 1*3DIGIT ; range 0 .. 191 VERSION = NONZERO-DIGIT 0*2DIGIT HOSTNAME = NILVALUE / 1*255PRINTUSASCII APP-NAME = NILVALUE / 1*48PRINTUSASCII PROCID = NILVALUE / 1*128PRINTUSASCII MSGID = NILVALUE / 1*32PRINTUSASCII TIMESTAMP = NILVALUE / FULL-DATE "T" FULL-TIME FULL-DATE = DATE-FULLYEAR "-" DATE-MONTH "-" DATE-MDAY DATE-FULLYEAR = 4DIGIT DATE-MONTH = 2DIGIT ; 01-12 DATE-MDAY = 2DIGIT ; 01-28, 01-29, 01-30, 01-31 based on ; month/year FULL-TIME = PARTIAL-TIME TIME-OFFSET PARTIAL-TIME = TIME-HOUR ":" TIME-MINUTE ":" TIME-SECOND [TIME-SECFRAC] TIME-HOUR = 2DIGIT ; 00-23 TIME-MINUTE = 2DIGIT ; 00-59 TIME-SECOND = 2DIGIT ; 00-59 TIME-SECFRAC = "." 1*6DIGIT TIME-OFFSET = "Z" / TIME-NUMOFFSET TIME-NUMOFFSET = ("+" / "-") TIME-HOUR ":" TIME-MINUTE Shearer, et al. Expires 4 August 2022 [Page 9] Internet-Draft lumionsrfc January 2022 STRUCTURED-DATA = NILVALUE / 1*SD-ELEMENT SD-ELEMENT = "[" SD-ID *(SP SD-PARAM) "]" SD-PARAM = PARAM-NAME "=" %d34 PARAM-VALUE %d34 SD-ID = SD-NAME PARAM-NAME = SD-NAME PARAM-VALUE = UTF-8-STRING ; characters '"', '\' and ; ']' MUST be escaped. SD-NAME = 1*32PRINTUSASCII ; except '=', SP, ']', %d34 (") MSG = MSG-ANY / MSG-UTF8 MSG-ANY = *OCTET ; not starting with BOM MSG-UTF8 = BOM UTF-8-STRING BOM = %xEF.BB.BF UTF-8-STRING = *OCTET ; UTF-8 string as specified in RFC 3629 OCTET = %d00-255 SP = %d32 PRINTUSASCII = %d33-126 NONZERO-DIGIT = %d49-57 DIGIT = %d48 / NONZERO-DIGIT NILVALUE = "-" 10. Lumion UUID Format This is a combination of a name-based namespace and a robust hash, similar to type 5 UUIDs in [RFC4122]. RFC4122 UUIDs MUST NOT be used because of the constrained environments many Lumion-using applications are deployed in and which therefore do not have knowledge of namespaces that look like DNS or which imply a network even exists. In addition RFC4122 does not include any hash more recent than SHA-1, which is now deprecated. XXXXX MORE GOES HERE XXXXX 11. List of Lumion Ciphers, Signatures and Hashes * SHA-3/SHA-256 * BLAKE3 * Curve 25519 * XXXXX MORE CIPHERS HERE XXXXX 12. Example Use Cases Shearer, et al. Expires 4 August 2022 [Page 10] Internet-Draft lumionsrfc January 2022 12.1. Data Tracking and Portability XXXXX EXPLAIN HERE - THIS IS AN EASY AND OBVIOUS ONE XXXXX 12.2. Time Travelling Data for Snapshotting This is about using the versioning information embedded within Lumions (either internal or external) to come up with time series data. It might in fact be more about ordinal data, because wallclock time is not part of the Lumion definition in this RFC. A Each Lumion MUST have pointers called Left, Right, Below, Above, as well as an external or internal version number. 12.3. Non-Fungible Token (NFT) Applications * Compatible with existing NFT registries * First-ever updatable NFTs XXXXX MORE GOES HERE XXXXX 12.4. Online Backups A time-ordered lists of Lumions is also a form of backups. Ad-hoc backups will be possible so long as the smallest unit is a Lumion and only whole Lumions are transferred. The UUID, versioning and ordinal information optionally contained in a Lumion means that a consistent backup can always be calculated assuming a reasonable percentage of Lumions are present. 13. Performance Considerations XXXXXX 14. Security Considerations While a valid Lumion is entirely self-contained from a security point of view, it is important to remember that Lumions do NOT provide any guarantee of anonymity. Lumions MAY be used for this purpose despite the presence of a UUID if the Lumion Generator is implemented in a very particular way (for example, the Lumion Generator only ever produces a single Lumion before being deleted permanently.) Transparency and traceability is vital to the Lumion concept, which is why it has a UUID. For normal usage the UUID prevents Lumions providing anonymity. Shearer, et al. Expires 4 August 2022 [Page 11] Internet-Draft lumionsrfc January 2022 15. Related Work XXXXX 16. IANA Considerations This memo calls for IANA to register a new MIME content-type application/pidf+xml, per [MIME]. The registration template for this is below. 16.1. Content-type registration for 'apoplication/lumion' To: ietf-types@iana.org Subject: Registration of MIME media type application/lumion MIME media type name: application MIME subtype name: lumion Required parameters: (none) Optional parameters: (none) Encoding considerations: (none) Security considerations: This content type carries a payload with metadata, where the only information that can be deduced relates to the Lumion envelope. Everything else is encrypted. A Lumion thus is self-contained from a security point of view. Interoperability considerations: This content type provides a common format for transporting data in a secure and privacy-compliant manner. Published specification: (none) Applications which use this media type: Databases Additional information: Magic number(s): XXXX File extension(s): .lumion (optional) Person & email address to contact for further information: Dan Shearer EMail: dan@shearer.org Intended usage: Globally, at scale Author/Change controller: (none) Shearer, et al. Expires 4 August 2022 [Page 12] Internet-Draft lumionsrfc January 2022 17. Informative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, DOI 10.17487/RFC4122, July 2005, <https://www.rfc-editor.org/info/rfc4122>. [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/RFC5234, January 2008, <https://www.rfc-editor.org/info/rfc5234>. Authors' Addresses Dan Shearer LumoSQL Email: dan@shearer.org, dan@lumosql.org Ruben De Smet LumoSQL Email: me@rubdos.be Claudio Calvelli LumoSQL Email: webmaster@lumosql.org Shearer, et al. Expires 4 August 2022 [Page 13]