re:claim is a novel approach for decentralized, self-sovereign identity management. Its core features are:
- Self-sovereign: You manage your identities and attributes locally on your computer. No need to trust a third party service with your data.
- Decentralized: You can share your identity attributes securely over a decentralized name system. This allows your friends to access your shared data without the need of a trusted third party.
- Standard-compliant: You can use OpenID Connect to integrate re:claim in your web sites.
Every dependency of re:claim is contained and delivered by docker images, which are built on Docker Hub. It is also possible to build these images yourself. Other than that, the re:claim client requires just docker-ce (versions 17.12.0+) and docker-compose (versions 1.23.1+, other versions are untested) to be installed:
Clone this repository.
Note: Only Firefox and Chrome are supported at this time.
The re:claim client functionality is bundled in a helper script ./reclaim in the root directory of this repository.
To get quickly up and running execute:
$ ./reclaim start -d
This command will detect whether you've run re:claim before and, if not, generate all the necessary files. If it finds the the respective utilities (certutil) it will also ask you if you want to import the GNS proxy certificate into your browser. Otherwise, you need to manually add the certificate.
IMPORTANT: Upon starting re:claim, you will be prompted to install the GNS proxy certificate. Once the certificate has been generated in the initial run, you can find it in the reclaim client folder as .gns/gnscert.pem.
re:claim makes heavy use of the GNU Name System (GNS). To use GNS, you need to configure your browser to use the GNS proxy so that names can be properly resolved.
To configure Firefox to use the GNS proxy:
That's it! At this point you might have to restart Firefox.
You can manage your identities by accessing https://ui.reclaim. This web interface is running on your local machine.
To test re:claim, you can go to the demo page https://demo.reclaim in your browser to test a re:claim login. This webpage it running on our servers here but must be accessed through GNS to be usable with a re:claim login.
To stop re:claim execute:
$ ./reclaim stop
THIS SECTION IS WORK IN PROGRESS
To add an OpenID Connect client via reclaim, the reclaim client script can be used. For example, in order to add a client with a callback URI https://test.mysite/login issue the following command:
$ ./reclaim oidc createClient --uri test.mysite
You can list your OIDC clients using
$ ./reclaim oidc listClients (NOTE: This command is not yet implemented)
In order to setup your relying party, you need to use the reclaimID OIDC endpoints. As an example see our Demo webpage.
THIS SECTION IS WORK IN PROGRESS
The script supports the following commands:
| Command | Description |
|---|---|
| stop | stop all reclaim containers |
| start | start reclaim containers |
| restart | restart reclaim containers |
| purge | remove reclaim containers and (optionally) remove persistent data |
The script furthermore supports arguments:
| Flag | Description |
|---|---|
| --demo (-d) | also startup a demo relying party |
| --compose-file (-f) | supply a custom docker-compose.yml |
| --no-pull | don't pull remote images |
The arguments have to be supplied only with start. The script will track arguments as whether a demo needs to be started or a custom docker-compose.yml for consequent starts.
Q: How does re:claimID work?
A: re:claimID uses a name system as identity directory service. In order to allow the user to enforce access control decisions, we use attribute-based encryption. This allows us to mitigate the need to manage large key sets for each attribute and avoid complex key hierarchies. For the theoretical background, there is a scientific paper available.
Q: Why do I need to install software?
A: re:claimID is not your traditional web tool. It breaks with a lot of old paradigms especiall with regards to name resolution.
Q: Why do I need a proxy? This is inconvenient
A: The proxy is required to stay compatible with existing browsers (see above). This is, for example, also true for technologies such as Tor. In fact, Tor also uses a SOCKS5 proxy, like re:claimID.
Q: But how does a website know the attribute data is correct?
A: Short answer: It doesn't. Long answer: Identities are initially self-attested by the user. re:claimID could, however, also be used to share third party attested attributes (e.g. X.509 certificates). Further, we are working on integrating privacy credentials for this use case.
Q: Where is the code?
A: re:claimID is developed as part of GNUnet. The source code for the core service can be found in the git repository. Low-level documentation of the GNUnet reclaim subsystem can be found here.
(c) 2018 Fraunhofer AISEC