# Shape Up Pitch: WebDAV Authentication and Authorization for backspaces.agentscript.org ## Problem We want a robust, decentralized authentication and authorization mechanism for the WebDAV server at **backspaces.agentscript.org** that integrates with our Digital Acequia framework. The solution should: - Allow domain/subdomain owners to authenticate using their PKI keys. - Mount directories securely based on their domain or subdomain. - Support delegation of access permissions by domain/subdomain owners to other users. Example: *backspaces* (the username for Owen Densmore) may later grant read/write permissions to other users by issuing access tokens. --- ## Appetite We want to implement this feature as a **test case within a 6-week cycle**, ensuring: - Secure authentication using PKI and DNS TXT records. - Dynamic directory mounting based on domain/subdomain (e.g., `backspaces.agentscript.org`). - Clear and manageable Access Control Lists (ACLs) for authorization. - Support for permission delegation by domain owners via access tokens. - A scalable foundation extendable to other domains in the future. --- ## Solution ### Key Components - **Authentication via PKI and DNS TXT Records** - Domain/subdomain owners publish their public key in a DNS TXT record. - The WebDAV server retrieves the public key from DNS and verifies the client’s identity using a signed challenge-response mechanism. - **CNAME-Based Directory Mapping** - Use the DNS CNAME entry to associate the subdomain (e.g., `backspaces.agentscript.org`) with a specific WebDAV server. - Dynamically mount a directory named after the subdomain (e.g., `/backspaces.agentscript.org/`). - **Authorization with ACLs** - Directory-specific ACLs to control actions (READ, WRITE, DELETE, LIST). - Domain owners can delegate permissions by issuing access tokens. - **User-Managed Public Keys** - Users store their public keys in files within directories on their own domains. - Example: `/public_keys/user1.pub`. - **Access Tokens for Delegation** - Domain owners (e.g., Owen Densmore) issue access tokens with specific permissions (READ, WRITE) and expiration. - The WebDAV server validates tokens during authentication. - **Logging and Auditing** - Maintain logs of authentication attempts and directory operations for auditing/debugging. --- ## Steps to Implement 1. **DNS Configuration** - Add a DNS TXT record for `backspaces.agentscript.org` with a test public key. - Create a CNAME record pointing to the WebDAV server. 2. **WebDAV Server Enhancements** - Implement DNS-based public key retrieval. - Add challenge-response authentication. - Integrate directory-mounting mechanism based on subdomain. 3. **Access Control** - Configure ACLs for `backspaces.agentscript.org`. - Add support for delegated permissions via access tokens. 4. **Public Key Management** - Allow users to upload/manage their public keys. - Ensure verification during delegation. 5. **Access Token Implementation** - Design token issuance and validation with metadata (permissions, expiration). 6. **Testing and Debugging** - Validate authentication, delegation, directory mounting. - Perform load tests for scalability. - Audit/log all operations. --- ## Rabbit Holes - **DNS propagation issues** delaying tests. - **Edge cases**: expired/invalid keys, malformed TXT records. - **Complex ACLs**: balancing simplicity with flexibility. - **Token management**: expiration, revocation, compromised keys. --- ## Risks - **Security risks** if PKI, tokens, or auth flow have flaws. - **Implementation overhead**: integrating DNS, WebDAV, PKI, tokens. - **Scalability** across multiple domains/subdomains. --- ## Success Criteria - Successful authentication for `backspaces.agentscript.org` using DNS TXT public key. - Dynamic mounting of `/backspaces.agentscript.org/` on the WebDAV server. - ACLs enforced with delegation via access tokens. - Users can upload/manage public keys on their domains. - Extendable design replicable for other domains in future cycles. --- ## Team - **Development**: Lead developer for WebDAV server integration.