Foursome Contributes Code to Apache Milagro for Internet Security Framework
ApacheCon North America, MIRACL, NTT Innovation Institute Inc., and NTT Labs have contributed security and authentication code to Apache Milagro, a new open source project within the Apache Incubator. This announcement, which establishes an internet security framework called Distributed Trust Authorities, comes on the eve of The Apache Software Foundation’s largest developer event.
Distributed Trust Authorities involves cryptographic service providers who independently issue shares of keys to application endpoints with embedded Milagro cryptographic libraries and applications. The DTA framework, meanwhile, splits the functions of a pairing-based key generation server into three services. Each third of the private key goes to distinct identities. Crypto App clients receive the shares, and thus are the only ones with knowledge of the whole key.
"Apache Milagro (incubating) is an opportunity to fix what ails the internet and leverage the power of the open source community to fundamentally evolve the security underpinnings of the web for how it's used today," said MIRACL CEO Brian Spector. "The code and distributed trust model we are committing to Apache Milagro (incubating) is built for blockchain applications, cloud computing services, mobile and containerized developer applications by eliminating the need for any central trust authority.”
As explained in a MIRACL-sponsored article by Daniel P. Dern on Linux.com, Apache Milagro Aims to Fix Web Security for Cloud, Mobile, IoT ,” ensuring people reach the correct websites on the internet requires authentication, which has traditionally involved the use of public key infrastructure certificates is problematic. Spector notes in the Linux.com piece that digital certificates don’t easily allow mutual authentication; PKI does not scale well; and all of the above does not adequately address cloud, containers, IoT, and mobile environments.
"We want to move from a single, monolithic hierarchy of trust to one where publishers of enterprise, web and mobile apps can decide on, and provide, security," Dern quoted Spector as explaining. "For example, a company based in Germany may have a different set of criteria for selecting D-TA's to get key shares than one in the United States for selecting trust partners. Or, say, an organization decides that it doesn't want any single commercial entity to hold its trust network. Just like Apache decided they didn't want a single corporate entity to 'own' the web server platform, we believe the same should be true for online authentication – people should be able to determine what's best for their needs, and choose the partners that work best for them."
Whether open source and the wisdom of the crowd prove to be the path to a more “trusted” Internet obviously is (pardon the play on words) open question. One thing this is becoming clear is that a new “trust paradigm” does need to appear and Apache Milagro is a good place for the work to be accomplished by some of the world’s top security minds.
Edited by Peter Bernstein