We consider how we might provide just sufficient security for a small community of friends to form quickly, enjoy ownership, invite others and recover from mistakes.
See Friendly Security for implementation notes.
# Secrets
We are looking for a stand-alone solution that does not delegate identity to any other service. We presume that one secret can be created on first use, stored in the site's status, and delivered to the new owner in a way that they can understand and responsibly manage.
A secret can be a large random number that contains no information beyond its uniqueness. Knowledge of the secret grants the bearer write access to an otherwise read only site. A breach of secrets reveals nothing about their owners and permits only the ability to damage work that should be backed up anyway.
# Cases
An administrator creates a new farm with no claimed sites.
An administrator creates a site and asserts admin privilege.
A user visits an empty site, creates content over weeks.
A user visits another's site and finds it securely locked.
A user retrieves the secret so as to retain access.
A user loses access and seeks assistance in person.
A user loses access and seeks assistance by email.
# States
A site is unclaimed with no owner.
A site is claimed and owner has cookie.
A site is claimed and owner lost cookie.
A site is claimed and owner knows secret.
# Modules
A friendly security module must create secrets, issue a cookie on first use, and require a cookie from then on.
A friendly login plugin can issue a cookie to anyone providing the secret, and can provide the secret to anyone with the cookie or administrator privilege.
# Workflows
An administrator could create sites for a roster of users and then email the correct secrets to each user. (A server-side endpoint could dispense cookies.)
An administrator could create multiple sites with the same secret for their own use by copying status from site to site.
A site that disallowed claims could allow owners to create subdomain sites and distribute the secrets as they see fit. (perhaps this is a different security module.)
# Risks
A site administrator could reveal or tamper with secrets.