 Hello everyone, this is a session on progress on enterprise Fedora desktop. Roughly a year ago we did a talk at the GoaDec where the idea was to show that with relatively small effort we can combine server developments that were happening for the last seven years with the desktop improvements to produce something that makes Fedora and other Linux distributions that try to use the same bits reasonably usable in corporate environments. And then after that I was sort of advocating that when we talk about enterprise free software desktop, we're actually talking about the desktop we use at home because our life is effectively a life of split identities. So you're your own at home, you're somebody at work, you need to have access to all of those identities at the same time, share files, access social networks, your blended identity. You might have identity disorder as well but that's the reality. And overall if we look at the enterprise desktop it's really a combination of three big things. So it's a client enrolled into some centralized identity management system. It's a tool to perform business tasks whatever is defined as your business regardless of the actual details of that business. And it's a subject to centrally defined access controls and those centrally defined access controls actually differentiate us from a desktop. And we in Fedora we have plenty of identity management systems but as I'm representing here free IPA and Sampa teams we kind of have two of those sort of highlighted, right? You can do your own identity management system based on Kerberos and LDAP or other means, there are plenty of them now but in Fedora we can now install free IPA the main controller right from Anaconda as a role and we were discussing yesterday in the server working group that you can do more in future and do something with it. And on the desktop side it's obviously a client to that system so you need to do something with it and we're also working on the Sampa AD part for I think four years now. It's not an easy feat. We still have something like 50-70 patches to be merged upstream to fully support MIT Kerberos so that after that we can start thinking about bringing it in Fedora as a supported solution and their fun will start because people start deploying and complaining and doing the bugs so we're looking for that around Fedora 26. And then we have agents that actually represent what the server side thinks the clients should be doing, right? These agents they give you identity services so in POSIX environments that's POSIX attributes your UID, GID, home directory and what not shell which is a stronger preference for everyone and people fight against them as they fight against choice of the editor but then you have authentication services and it's strongly coupled with the way how applications actually treat that authentication there are different methods and so on. Then if you're authenticated you need to be authorized specifically in the corporate environment. Authorize it or not to access certain resources and certain applications that's kind of clear thing and then the tools to simplify access. There are a couple examples so Fedora and free ABA so a client that is enrolled in free ABA uses SSSD project and a demon as an agent and we have both NSS, SSS and Palm SSS modules configured in the standard Fedora stack even if you don't use SSSD that doesn't change anything but it allows you to switch on SSSD and don't change any configuration it just start magically working and then SSSD performs a bunch of things fetching the data from free ABA server and applying decisions authorization decisions based on that data and one of the examples is also that OpenSSH uses the SSSD to look up public keys of the servers you connect as OpenSSH client to verify the identity but it also is used by OpenSSH server to verify a public key of the user connected to itself and the same for certificates that will be related and also the pseudo rules can be configured globally and sets for specific services and specific servers that you can access if you're a member of this group or that or if you're in certain decision and for the Samba AD case while there's no Samba AD in Fedora yet there is a copper that we kind of do the test builds with you still can be a client to active directory which means you can be the client to Samba AD as well because Samba AD tries to be compatible protocol wise with active directory and you can have two different combinations one of them is a pure use of Samba tools like windbind or a hybrid combination where SSSD is used to actual authentication and identity management and windbind is used for the tasks where you have to do SMB protocol magic that's all beneath the floor so what we can do with this what what user would see and the thing is we need to have some metric that we can say that we are successful or not here and one of the simplest metrics is the amount of we are talking about single sign-on into desktops effectively if you're centrally defined you centrally authenticate that there's no need to have this all authentication happen every single step and ask the users to enter password so let's do the passwords as the metrics by our metrics will be a password so a typical situation if you reboot the machine and you put into the operating system prompt which might optionally ask you to decrypt your hard drive to boot password verification there might be some some stuff on it then you're signing into a typical a local account then you jump on the VPN because before that you cannot really authenticate against the thing on the VPN if you're working in the office and you're in the wired network and you might be just happy but in reality we could work from the hotel from home and we don't have access to VPN every time then we get the Kerberos credentials and finally authenticate to the services with single sign-on that's good but how far we are from going into this imaginary situation you boot into operating system you use your remote credentials and you access applications that are on VPN you immediately there well let's try to log in I hope this is the videos that we actually recorded in February for the DevCon they stand still as a practical example so I'm logged in into the system and I got some ticket Kerberos ticket while I'm not on VPN and I use that ticket to actually log into VPN and let me see if I press one button but basically you can see that I logged into the desktop somehow magically I got the Kerberos ticket I logged into VPN and now on VPN I've got the rest and I can actually access my resources at no point I entered any credentials other than the original ones so yes this is a client for free IPA the free IPA server runs a special thing called KD Kerberos proxy it's an HTTPS service that effectively tunnels request for Kerberos over the Internet while Kerberos itself was designed to be used in the hostile environments like Internet there are a couple of exchanges that are not really protected well they could be used to attack you so far and use an HTTPS tunnel sort of takes care of these first few steps that not protected and this is actually was developed first by Microsoft trying to solve problems of their own clients in 2007 they deployed this in Windows 2008 server and it's as the actual spec very well defined so in 2014 not any of my column implemented the spec first as a separate application then we got disintegrated in free IPA and later in 2015 the guys from OpenConnect VPN implemented this in C and integrated with the OpenConnect server so we have I think NOM.org now running this proxy for two years already and using this to access Git repositories with Kerberos credentials exactly what happened in this video and yeah OpenConnect is one of those that supported OpenVPN does not support Kerberos and ten years people are struggling to explain to OpenVPN developers that what is the use case and how it works well instead of OpenVPN IKE version 2 spec has progress on formally defined the GSS API which is the API to do the single sign-on including Kerberos in the spec and LibreS1 is working on implementing that spec so we're going to get this the funny part that IKE feed two extensions that Microsoft did since 2000 yeah I think 2000 and they have this in the Windows 2000 onwards effectively give you the same ability you do GSS API inside the swan IKE IPsec implementation on Windows site already for 15 years plus we're coming there so if you have a VPN yes that's good thing but you probably don't want to trust people with a Kerberos ticket to login into your VPN infrastructure you want to have some assurance that these people are not stealing the tickets but use it some more serious means to obtain the ticket and free IPA supports two-factor authentication internally and through the other radius-based means but effectively you can use variety of means to define those factors and one of them is the free OTP application which is based on Google Authenticator before it became proprietary it's now a clean it was always okay yeah but the idea was coming from that one yes and free OTP is this is an official for our project by the way yes it's our first one and Nathaniel did this work and it works on Android iOS yes of course that will be good so one thing that free IPA 44 will add in this thing is the ability to say how strong was your initial ticket did you use two-factor authentication to obtain it or did you use something else and then use this information to say I only can get access to that service if the original ticket was with multi-factor authentication this is not yet deployed anywhere it's coming out in free IPA 44 this August so it will allow you to get VPN limited by two-factor authenticated Kerberos tickets obtain it over the Kerberos process we can go multiple processes on it so how it works again we continue with the previous demo and here what I'm doing is it was done in a VM and I took the Yubiqui inserted it in a USB port of my machine and actually to get access to that I create a special group that has the actual writeable access to the USB device and that's why I'm doing this in the console you cannot have access to USB device from the browser you limit it there so and I programmed this Yubiqui in a such way that basically saying add a token into the first slot of this USB key I don't care what you put there defaults are there it programmed the physical hardware and then sent the token information to IPA server so that IPA server now knows that this user can log in with two-factor authentication and because the user here has OTP type as one of options to log in it can can log in so now we locked the screen and immediately an attempt to unlock the screen SSSD notices that the server actually on the Kerberos negotiation responds that this user can do OTP so we instead of printing a password here we know the user because it's a it's a lock screen right instead of password we asked first factor which is the phrase just say that you enter your Kerberos password and then the token code that you get so I enter hopefully yes is the token value we used to have this problem that if you enter them together then the next step would be that GDM or whatever is running there on the locking is GDM passes the whole password whatever is the password to unlock your credential store and your password now is random effectively because it has this token value that will never repeat theoretically right so on the next login you will never unlock your credential store because it's encrypted by a password that's one strings configurable by the way first factor and second factor they are not it's coming from SSSD and we are thinking how to do that yes yes and that's that's one of the discussions we have we have Alan and others for how to get this user experience better but for you really can can just join things together and you already get a very powerful thing so let's see yeah we logged in and the and another thing here is that I got a totally new ticket now totally fresh one compared to what they had before it did not renew it created a completely new one replace it yes yes we cannot see it from anywhere here but because we don't have on the client side actually an API to we just market or in the Kerberos upstream yes last week but at the time when this was done we did not have any API for Kerberos clients or JSS API clients to look up into the ticket and see if there is a tag that you can analyze somehow so this is a summary we got again the credentialer sent to it only once after we programmed the token we handled the login show it a different prompt or a sequence of prompts there might be more we support two factors but nothing nothing prevents have a system with multiple factors and if you haven't been at the talk that Nathaniel ran this morning about the secure automated decryption and he was talking about using a tree of factors to define up to whatever define in the the access levels making security not binary bodies slide and scale which is really interesting going forward so yeah if we got those credentials what could we do with them do you want to yeah chairman yep so once we have some Kerberos tickets what are we going to do with it so we saw that you can log in through GDM you get a Kerberos ticket I mean if you have a if your server is configured to do two factor authentication you get asked twice and so forth so finally you end up with a Kerberos ticket so what now so so you can pretty much use it with any service that uses JSS API by any service I mean it can be a file storage thing like it could be own cloud for example a web that server it could be a printer or could be SSH and so on it could be email so so I'm going to show like various things which we can do with the federal desktop once you have a Kerberos ticket there are still some rough edges here and there which we are trying to improve so this talk is mostly about like showing the improvements that we have made to smoothen some of the rough edges and what we are going to do further so so first we start with the browsers we'll come back to browsers towards the end but so let's start with browsers of it so essentially even if you have a Kerberos ticket and if you want to access a website or a web application which is supposed to work with these Kerberos tickets they don't really work smoothly I mean usually what happens is they fall back to some kind of basic HTTP authentication or you get redirected to some some sum of form where you have to manually type in your username password and then maybe tag in the second factor from your key this sum of form is kind of like the gdm screen that Alexander showed but you what quite often it's not like it's not separated as first and second factor you just have to enter a string which is basically your first factor and then you concatenate the second factor to it so this is not really ideal I mean it should just work because it's that's how it's supposed to be so for web browsers it's these web apps they advertise something called a negotiate authentication like WWW-negotiate in the authenticate header just like basic authentication so so one of the things that was missing was GNOME's HTTP stack which is Lipsu and then we have WebKit GTK on top of it it was it didn't have support for this negotiate scheme so that's why all these applications that have some form of web browser embedded into it or any applications that any application that is doing HTTP in some form wouldn't work with negotiate wouldn't work with a Kerberos authenticated setup so this was a problem for a while as you can see it was since 2009 so recently there was some movement on this so here you see an embedded WebKit GTK logging into a Kerberos authenticated resource without asking for a password the second time you already have a Kerberos token for the VDA li domain yeah so this is my home IP network setup which is sort of public except that the the actual IP server is on the private network so I need to be on VPN first and what I show it is that the GNOME online accounts didn't have any Kerberos ticket then I entered from the command line key in it and got the ticket and GNOME online account so we use the we actually getting a bit yes a bit of head of what we wanted to show let me get back here so we logged in in this epiphany window into free IPA without entering passwords because we used our Kerberos credentials yes and we did not get any redirect somewhere it is because this application this web application which is administrative console for IPA knows how to handle Kerberos itself and you can see that there are a couple users and unfortunately we cannot see the names but yeah the names but there's email set to some domain this domain is actually connected to some other source that we didn't stop before but let's get to that point so what was this is a combination of work common it's really a collaborative effort across the whole community so this effort started in 2009 then faded because there wasn't really enough strong willing people to complete it there were flying patches from Debian people from others from Intel guys to try to kind of reintroduce the Kerberos or JSS API support into Leap Soul and I think it took last two years or so to kind of understand what is the complexity and consult GNOME guys to finish this to complete this work this is all now merged in GNOME 3 so yeah so this is the this is the header that the website usually advertises WW authenticate negotiate so yes so why is this important so why is the Kerberos or negotiate support in Leap Soul when WebKit GDK important well actually WebKit GDK is just a Leap Soul application in this regard so most of the work was in Leap Soul so but anyway why is it important so one of the things it would let us do is that any application that uses HTTP via Leap Soul will now be able to deal with Kerberos for example you might have seen that you can mount your own cloud or other web depth shares in Nautilus and they are then available to any other GNOME or GDK application to your file chooser and so on those kind of things wouldn't work with Kerberos authenticated web depth store so those things will now be possible I mean there are still bugs Alexander has a prototype of a next cloud which uses Kerberos running but when I started to make it work there were some bugs I mean when you start doing DAF not pure HTTP but when you start using the DAF extensions against this setup it kind of gets lost in the beads of the technology yeah there are some protocol miscommunications that happen because actually the whole flow of this SAML was never expected to work over something not HTTP web depth is not strongly an HTTP it's another set of command that uses the same concept but there is a misunderstanding on the server side of how to handle certain redirects which basically prevent web depth to complete its operation which confuses clients and clients cannot obtain files because they did not finish the authentication it's going to take some time to work on it but the more important part is why we are looking into this is because we are effectively forced and we are moving ourselves through the social networks integration through effort of let's say Microsoft as well Microsoft security team is very concerned by passwords because people cannot handle passwords so they look into other methods of authentication and Windows 10 includes my passport thinking which is effectively a glorified auth to sequence against some HTTP server now you get something where you need to run things against an untrusted web server before you actually log in so we need to get a sandbox with a lockdown and execution environment for a browser engine right before the log on but we need to know how we connect to a network there so there should be a way to choose a network profile then this means network manager needs to be run before the log on and get access but we get down to the rabbit hole really really deep we need to access user specific data and it also says that the UX should be quite different and think about cases where not talking about graphical logon but SSH logon with such sequence it's going to be confusing and if you have your servers running on Azure or other networks if Amazon let's say will force everyone to use the same authentication schemes like Microsoft tries to introduce Linux systems will be in a big disadvantage so we try to address something that probably most of us will not see in the next two or three years but when we get hit by it will be hit quite hard that's what your Windows 10 machine actually does if you're registered with Microsoft Password yes and then you get captive portals in between and get all the stuff all together and for the offline logons they have cached sessions but before you get cached sessions you have to be online yes so for users this actually the work that we did actually means that you can do some neat things yes we will skip the part that was actually there so we add a Google account so this video like domain has a Google apps yes so for this t.vda link I got the Google apps connected to it and set up so that this user with its email is mapped to a certain user in Google apps and then you can authenticate and the authentication actually happens against epsilon instance not the Google apps at no point Google apps sees my password the only thing they see is my email validated by my identity provider so I am in control of my credentials and where they could be used and then I can login I can get inside manage files on Google Drive open documents and Google Docs read email and so with all the user date on my side the infrastructure here just to be clear is that there is Kerberos is authenticating to epsilon, epsilon is using sandals to authenticate Google so the end result is that you use your Kerberos ticket to login to Google through your own identity provider yes yes so once we got there with the Google apps as a service provider it talks to our instance via epsilon and epsilon website has a perfect documentation how to set this up if you have PIPA you have epsilon configuration then setting this up against Google apps is like five minutes or so there are still some rough ages but you can do it so what happens if you don't have Kerberos credentials you will get a window from your identity provider asking for user name and password and then you enter those credentials but then everything works as it is the problem is that at the point when session cookie expires you have to re-enter those credentials manually and nobody will be asking you well probably no online accounts will show you that the credentials expired you have to enter them but with the Kerberos ticket they can be automatically renewed without your involvement if you are allowed so we are also trying to make some improvements to the UI for Kerberos accounts in our settings app it's not an app but the settings UI that we have so till now so far you have seen that it's pretty much just a slider which you can sort of destroy your credentials cache and it shows whether the ticket is valid or not but we want to do a bit more than that so I've got this kind of prototype hacked up so you can now kind of force renewal of tickets manually which might be useful if you have two factor authenticated setup we usually try to automatically renew the tickets before they expire but if you have two factor going on then you need some human interaction to enter the second factor it basically shows that even on the old that's the kind of renewal sorry I didn't get the question you said that the two factor authentication when you get renewed you still have to have the second factor I think so Kerberos renewed because Kerberos has a 90 other Kerberos library allows you to specify prompts and if the Kerberos library client understands those prompts it will prompt your likened PAM case SSSD actually translates the Kerberos prompts into PAM prompts that's why you see it in the GDM because GDM at least stands PAM prompts but here you get it from the normal library so what I guess I'm asking is is that renewed button a literal Kerberos renewal or is it renewed or re-came in the last few years that's what we were discussing yesterday so the thing is like if I understood it correctly the renewal can fail if the KDC doesn't allow you to renew of course so in that case the idea is to fall back to a simple KM of course right I mean if you K and a dash R it's a different term for that then because that's going to get serious I mean it's the right UI I think but I think the wrong terminology well it depends on whether you know what K and a dash R is so we can discuss this and as I say this is subject to heavily discussion actually we had like a year of discussion already on things we got to this point thanks to Leap Soap improvements now we can actually show user experience designers what we meant to have their technical and our discussions proved that translating the technical terms into a good flow a workflow is really really hard without being able to kind of physically touch it I guess it all depends on how much of the underlying technology you want to review to the yes so the other part is you could have a collection of credentials and you might want to say that a particular credential is the primary one that is picked up by default and this is not yet supported but we want to have this supported the renewal part is as you saw just it was it is quite complicated but if we got back to the browsers it's also a complicated thing so when I think half a year ago we sat down with red hats people who work on Firefox and we tried to identify a set of bugs that really prevent us having a good user experience with Kerberos and JSS API overall in Firefox we found out maybe like a 10 ground standing bugs and we started to address them some of them are things that really matter from the UX point of view like automated discovery things, automated configuration but we couldn't get to that point without discussing them with Firefox user experience designers and to get to that level you need to really have things smoothly working and one of the biggest issues that we had was at Firefox when you use JSS API it's a synchronous API you do something you do a single call it goes through all the library layers then does the networking connection and that networking connection might stuck because you don't have access to an actual server broken in the process and sometimes that might take minutes or so and it is done in the same UI thread that the whole UI is drawn you get the whole browser locked down you cannot switch to another tap and do something else at this time this was since forever since the Mozilla times and so guys we are working on implementing the fix for this which is effectively moving the authentication to a separate thread which actually revealed the number of bugs in Fedora design Firefox design and we got the patch accepted which broke some other platforms that was interesting experience so it was backed out and finally I think in two weeks ago it got finally merged with all the fixes and today Firefox 48 with the back port patches made into Fedora 24 updates test it is actually 48.0-5 that made today into the updates test there are still bugs there are some security bugs which were fixed in a privacy mode which was leaking your identities it is an interesting work you want to talk about the auto config one of our proposals we have for auto config is that upstream Mozilla doesn't want to turn it on but we think we might just try to turn it on and the idea here is that when you get to a website that asks you for Kerberos authentication then we'll just do it so long as you have an encrypted tunnel an interesting part if you look into all the documentation that says how to configure your browser to allow Kerberos authentication they all say you go into these preferences you enter this domain that is in fact a user that verifies that you can access a certain URI actually does a match so you can specify literally HTTPS.com as a value of that variable preference and that's it it will match all HTTPS or securely negotiated websites and then Kerberos library will try to obtain service ticket to that machine against your KDC and it's really not until your KDC gives you a ticket to that machine you connect to the machine so there is nothing leaking out to a web server until you get the ticket and usually it's your corporate KDC that controls whether they have a trust between that domain or not and they either reject or allow you to do the thing so we are at the point when with this simple change it does not include any domain name which basically allows us to do a global preference shipped and it's just a change in the default config yes it's a default config change no code change that's a nice thing in Chromium and Chrome it's a bit harder because you either have to buy a system wide setting with explicit domain or you have to do a command line options to launch it to enable the GSS API support and that's why fixing Lips Open WebKit GTK actually gives us a leverage for all the apps for all the embedded things and if you use email you are most likely embedding the embedded engine that presents UHD email within the application if that's a corporate email most likely it will get to some resources that might behind the scenes require authentication to fetch this icon or give picture that somebody put into the email I have a question about the Chromium can you tell me about the cameras configuration so the statically system wide method is it like a configuration file yes it's a configuration file that you cannot redefine as a user where is it stored it sees something the problem is it requires a domain name for every domain you want you can't just use HTTPS colon slash slash it has to be actually the nice thing about KDE that they have supported this by default in the Conqueror so if you use Conqueror well you might get some problems with the actual rendering of the pages but Kerberos authentication and KDE works and this is the policy we are recommending to all browsers that if you have HTTPS just do it automatically there's no leakage of information except to your own KDC yeah the quality you already trust yes and it's a mutual trust anyway between you and KDC otherwise it doesn't work I assume that Conqueror thing is actually supported at a lower level in the browser so anything yes hopefully it's probably the computer or something yes so the flow is synchronous we fix it, this is the bug I'm talking about and this is the Fedora Firefox 48.0 dash 2 which was submitted like a I think last week July 27 I think it didn't make actually into the updates testing because the dash 5 actually overrode it but of course we don't have a synchronous GSS API and that would be real and that would require a lot of standardization work between all the parties which is probably unlikely in reality is this something someone is going to try to do or it's not important so we tried to talk with Microsoft security people on this topic and their answer was clear they are moving away from passwords to other means of authentication so extending Kerberos Kerberos is a mutual authentication both parties know something that is effectively a password the password never leaves into the network it's used to do some sort of calculations for the exchange but it's effectively you need to have this mutual authentication they are moving to other schemes instead of mutual authentication and let the user experience base it on those schemes rather than fixing the fundamental problems at this point we don't want to commit to just trying to support them so practical use of it let's do another funny example again I'm k-ing it in as myself okay use epiphany to connect to the open cloud the instance I have I hacked this instance to support SAML so basically support authentication through epsilon and here epsilon does not ask me for the password because epsilon allows to authenticate with Kerberos on the inside I can work with the documents and I can do some stuff and the user is actually within on cloud is created on fly based on the information that epsilon returns to the application now on cloud has the community kind of split it and next cloud release it their software and the next cloud is actually included in the SAML plugin into the base open source version in on cloud case this was part of on cloud enterprise you had to pay to get it it's 10 lines of code or something integrating with epsilon so I was joking last year and I forced them that basically in 10 lines undermined the on cloud business that was kind of a joke with a future point where on cloud got split not because of me of course but it shows that if you have open core business it's probably not a good not a viable future business need to do something better okay this is epsilon authenticate and against free IPA and now we have supporting non-frequency and like we say there's some bugs in webdav user of the SAML based workflows and overall the SAML flow was supposed to be happening in the browser with a person actually entering credentials or taking it and for effectively it requires you execution of javascript but the server returns you to submit a form back to this system so if you have embedded browser engine which disables javascript for its own reasons and never shows anything to the user you stop to answer this problem SAML has a special profile called ECP basically for browser less clients and not all implementation supported and there are some bugs in it and as we found out even without ECP if you use a protocol different from STTP you get problems so we are still thinking how to fix this and the interesting part is that you can with a simple combination of things you can much further so this is the same environment you don't have any ticket now I authenticate not against my IPA environment but against Active Directory setup that they have at all and I effectively administrator from Active Directory with this ticket and the trust that I established between this Active Directory Forest and FreeAPA I can access resources in FreeAPA domain one of them is my own cloud setup so it's a cross forest trust between the Active Directory instance and FreeAPA so you are actually getting FreeAPA tickets about using your Active Directory login yes and again epsilon notices the Kerberos credentials they are correct valid and the user that is has this Kerberos principle SSSD resolves this user into something usable so epsilon generates a packet of information about this user and submits it to the application the application actually let me stop here you get some ID with the fully qualified username because it's the way how IPA presents this Active Directory users add in their domain here and this is the address in your own cloud terminology where you could send from federated own clouds to each other files against my instance so that first domain is from Active Directory the second one is from the other yes so this is the interesting part you effectively can reproduce a corporate environment at your home at your will if you need maybe you don't need but there are a lot of non-profit organizations non-governmental organizations that actually have some Windows environment and they want to have control over their setup over time while they migrate and they can do this migration without disturbing the actual business that they do like helping people and of course, yes, this is very very enterprise if you run it at home to a certain degree but why not and specifically if this is actually would be not a Windows server running this Active Directory but a Samba AD that would be totally free software implementing the cool enterprise stack yes, and a final thing I didn't get any question about this but what about the disk encryption how we can get rid of the the entering password at boot time boot time so this is a demo that Nathaniel prepared for Red Hat Summit a month ago and just mute it I'll mute it actually this one so here's two Windows, this is a server this is a machine that we are actually putting in the server we install some software called Tang which is a network bound server that verifies yeah, you can there are more details about it I hope the recording that was made will be published and you can see in more detail what was there but on the client side we say that this client is now bound to the server running to the Tang server running on this machine um and after we bound we actually say that the disk of this machine which is encrypted using locks will have encryption bound network network wise, yes to the Tang we just did the binding there on the left yes, it's hard to see yes, now it actually generates the drug out generates a new boot image oh yeah yeah, it's very good to have so you build a new initial range and it reboots here's the magic, I don't type the password on the left it waits until it connects to the server and the server grants access to the secret that was wrapped multiple times so that the server actually doesn't know what's in this secret that the client generated when it encrypted the partition or changed the key for the partition now, he stops the actual server and the yes, and he had to type a password so if you're in your home network or you're at work where you have access to your network the amount that actually can verify you're good yeah, it's kind of a data center at home very very enterprise yeah so that's all only really related to physical network yeah but the same technology it actually does not need to be network bound it could be bound to physical token that can be somehow detected like a Bluetooth beacon or NFC or something yeah it was a whole talk, watch it next week or when it occurs yes so the whole, yes one minute so we really, what we want to achieve with this is to control your own infrastructure and the other part which I don't write here is we are getting older improving experience while maintaining good security defaults is important there is a strong opposition to get the complex things in use like by 50, 60, 70 years old and so on and they still need the same level of security as the savvy young people we are improving this we are getting a chance to ourselves, not only to our parents to actually survive in a world where security is regularly threatened to even exist thank you