9 files changed, 394 insertions, 4 deletions
diff --git a/template/applications.html.j2 b/template/applications.html.j2
index 1b47258a..f1f0e30f 100644
--- a/template/applications.html.j2
+++ b/template/applications.html.j2
@@ -37,8 +37,8 @@
      <section>
      <h3>{{ _("Self-sovereign, decentralized identity provider") }}</h3>
      <p>
+        <a href="{{ url_localized('reclaim/index.html') }}">re:claimID</a>
        {% trans %}
-        <a href="https://reclaim.gnunet.org/">re:claimID</a>
        is a decentralized Identity Provider (IdP) service built in top of the
        GNU Name System. It allows users to securely share personal information
        with websites using standardized protocols (OpenID Connect).
diff --git a/template/install.html.j2 b/template/install.html.j2
index 87f80ead..1c63b0c0 100644
--- a/template/install.html.j2
+++ b/template/install.html.j2
@@ -7,13 +7,11 @@
  </header>
  <div class="row container justify-content-center">
-    <div class="alert" style="background-color: #419edb;">
+    <div class="alert alert-info">
-      <div class="alert-content">
 {% trans %}
          Notice: GNUnet is still undergoing major development. It is
          largely <i>not yet ready</i> for usage beyond developers.
 {% endtrans %}
-      </div>
    </div>
 {% trans %}
 <p>Please be aware that this project is still in an early alpha
diff --git a/template/reclaim/faq.html.j2 b/template/reclaim/faq.html.j2
new file mode 100644
index 00000000..b49b8f6c
--- /dev/null
+++ b/template/reclaim/faq.html.j2
@@ -0,0 +1,26 @@
+{% extends "common/base.j2" %}
+{% block body_content %}
+<div class="m-3">
+  <a class="mt-2 mb-2" href="{{ url_localized('reclaim/index.html') }}">reclaimID</a> / FAQ
+</div>
+<h2 class="text-center">{{ _("Frequently asked questions") }}</h2>
+<br/>
+<div class="container">
+  <ul class="fa-ul">
+    <li class="mt-4"><i class="fa-li fas fa-question-circle"></i> <b>How is re:claimID different from</b> <i>&lt;insert other identity provider service here&gt; ?</i></li>
+    <li><i class="fa-li fas fa-comment"></i> Unlike most other identity provider services, re:claimID is not operated by a single service provider or even a federated consortium of service providers. Instead, it is a fully decentralised service operated implicitly by its users. Consequently, large-scale data monetisation, mass-surveillance and other (ab)use of personal data is inherently mitigated.</li>
+    <li class="mt-4"><i class="fa-li fas fa-question-circle"></i> <b>How much does re:claimID cost?</b></li>
+    <li><i class="fa-li fas fa-comment"></i> re:claimID is Free Software. We argue that in order for an identity system to be a credible solution for self-sovereign citizens to exercise their right to digital self determination, open and free software as well as services are indispensible.</li>
+    <li class="mt-4"><i class="fa-li fas fa-question-circle"></i> <b>How does re:claimID work?</b></li>
+    <li><i class="fa-li fas fa-comment"></i> re:claimID uses the GNU Name System as identity and attribute directory service. In order to allow the user to enforce access control decisions, we use a cryptographic access control layer. However, the user is not required to manage any cryptographic keys or manage zones in a namespace. This is done under the hood by re:claimID.</li>
+    <li class="mt-4"><i class="fa-li fas fa-question-circle"></i> <b>How does a website know the attribute data share via re:claimID is correct?</b></li>
+    <li><i class="fa-li fas fa-comment"></i> Short answer: It doesn't.
+      Long answer: Identities are initially self-asserted by the user. re:claimID could, however, also be used to share third party attested attributes (e.g. X.509 certificates). Further, have integrated <a href="https://github.com/Fraunhofer-AISEC/libpabc">Privacy-ABCs</a> for <a href="{{ url_localized('news/2021-05-DISSENS.html') }}">this use case</a>.</li>
+    <li class="mt-4"><i class="fa-li fas fa-question-circle"></i> <b>Who is behind re:claimID?</b></li>
+    <li><i class="fa-li fas fa-comment"></i> re:claimID was initially developed at <a href="https://aisec.fraunhofer.de">Fraunhofer AISEC</a> and is part of GNUnet.</li>
+    <li class="mt-4"><i class="fa-li fas fa-question-circle"></i> <b>I found a bug!</b></li>
+    <li><i class="fa-li fas fa-comment"></i> We aim to continuously develop and improve re:claimID. Help us by <a href="https://bugs.gnunet.org">reporting any issues you encounter</a>.</li>
+  </ul>
+</div>
+{% endblock body_content %}
diff --git a/template/reclaim/idps.html.j2 b/template/reclaim/idps.html.j2
new file mode 100644
index 00000000..5101b0d7
--- /dev/null
+++ b/template/reclaim/idps.html.j2
@@ -0,0 +1,30 @@
+{% extends "common/base.j2" %}
+{% block body_content %}
+<div class="m-3">
+  <a class="mt-2 mb-2" href="{{ url_localized('reclaim/index.html') }}">reclaimID</a> / IdPs
+</div>
+<h2 class="text-center">{{ _("For IdPs") }}</h2>
+<br/>
+<div class="container">
+  <h2><b>Step 1:</b> OpenID Service</h2>
+  As an identity provider and credential issuer, you need to setup an OpenID Connect server. There are many servers out there. For a list of servers, check out the <a href="https://openid.net/developers/certified/">OpenID website</a>.
+  One important caveat is that the server should allow you to issue user information inside the signed "ID Token".
+  The configuration regarding what user information goes into the token is of course completely under your discretion.
+  <h2 class="mt-5"><b>Step 2:</b> Configuring the reclaimID client</h2>
+  reclaimID uses special client values which must be registered at the OpenID server. The values are:
+  <ul>
+    <li><b>Client ID</b>: reclaimid</li>
+    <li><b>Client secret</b>: none (public client)</li>
+    <li><b>Redirect URI</b>: https://ui.reclaim</li>
+    <li><b>Grant type</b>: Authorization code</li>
+    <li><b>PKCE</b>: enabled (Optional but highly recommended)</li>
+  </ul>
+  <h2 class="mt-5"><b>Step 3:</b> Configuring a webfinger</h2>
+  You must support the webfinger-based <a href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect service discovery</a>.
+  Whenever the user configures an email address for an identity, reclaimID will try to discover the issuing identity provider through the OIDC Discovery protocol. This includes a <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#EmailSyntax">request to the authority part of the email address</a>.
+  The response should point reclaimID to the actual OpenID Connect service <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">serving the issuer medatata</a>. reclaimID will try to request all scopes which are listed in the metadata, but does not expect all of them to be granted.
+</div>
+{% endblock body_content %}
diff --git a/template/reclaim/index.html.j2 b/template/reclaim/index.html.j2
new file mode 100644
index 00000000..c52b9ad6
--- /dev/null
+++ b/template/reclaim/index.html.j2
@@ -0,0 +1,102 @@
+{% extends "common/base.j2" %}
+{% block body_content %}
+<div class="container">
+  <div class="row">
+    <div class="container text-center">
+      <img style="width:50%" src="{{ url_static('images/reclaim_logo.png') }}"  alt="reclaimID" />
+      <br/>
+      <p class="mt-4">{{ _("Self-sovereign, Decentralised Identity Management and Personal Data Sharing") }}</p>
+    </div>
+  </div>
+</div>
+<div class="container-fluid greybox">
+  <div class="container">
+    <div class="row">
+      <div class="col-lg-2"></div>
+      <div class="col-lg-6">
+        <section>
+          <h2>{{ _("Self-sovereign") }}</h2>
+          <p>
+          {% trans %}
+          You manage your identities and attributes locally on your computer. No need to trust a third party service with your data.
+          {% endtrans %}
+          </p>
+        </section>
+      </div>
+      <div class="col-lg-3 homepageicon">
+        <span class="fas fa-fist-raised"></span>
+      </div>
+    </div>
+  </div>
+</div>
+<div class="container-fluid">
+  <div class="container">
+    <div class="row">
+      <div class="col-lg-2 homepageicon">
+        <span class="fas fa-project-diagram"></span>
+      </div>
+      <div class="col-lg-6">
+        <section>
+          <h2>{{ _("Decentralized") }}</h2>
+          <p>
+          {% trans %}
+          You can share your identity attributes securely over a decentralized name system. This allows your friends to access your shared data without the need of a trusted third party.
+          {% endtrans %}
+          </p>
+        </section>
+      </div>
+    </div>
+  </div>
+</div>
+<div class="container-fluid greybox">
+  <div class="container">
+    <div class="row">
+      <div class="col-lg-2"></div>
+      <div class="col-lg-6">
+        <section>
+          <h2>{{ _("Standard-compliant") }}</h2>
+          <p>
+          {% trans %}
+          You can use OpenID Connect to integrate reclaim in your web sites.
+          {% endtrans %}
+          </p>
+        </section>
+      </div>
+      <div class="col-lg-3 homepageicon">
+        <span class="fab fa-openid"></span>
+      </div>
+    </div>
+  </div>
+</div>
+<hr/>
+<div class="container-fluid">
+  <div class="container">
+    <div class="row">
+      <div class="col-md-4 mt-1">
+        <a class="frontpage btn btn-primary btn-lg" href="{{ url_localized('reclaim/tech.html') }}"><i class="fas fa-cubes"></i><br/>{{ _("Technology") }}</a>
+      </div>
+      <div class="col-md-4 mt-1">
+        <a class="frontpage btn btn-primary btn-lg" href="{{ url_localized('reclaim/motivation.html') }}"><i class="fas fa-fire"></i><br/>{{ _("Motivation") }}</a>
+      </div>
+      <div class="col-md-4 mt-1">
+        <a class="frontpage btn btn-primary btn-lg" href="{{ url_localized('reclaim/faq.html') }}"><i class="fas fa-question"></i><br/>{{ _("FAQ") }}</a>
+      </div>
+    </div>
+    <div class="row">
+      <div class="col-md-4 mt-1">
+        <a class="frontpage btn btn-primary btn-lg" href="{{ url_localized('reclaim/users.html') }}"><i class="fas fa-user"></i><br/>{{ _("For users") }}</a>
+      </div>
+      <div class="col-md-4 mt-1">
+        <a class="frontpage btn btn-primary btn-lg" href="{{ url_localized('reclaim/websites.html') }}"><i class="fas fa-globe"></i><br/>{{ _("For websites") }}</a>
+      </div>
+      <div class="col-md-4 mt-1">
+        <a class="frontpage btn btn-primary btn-lg" href="{{ url_localized('reclaim/idps.html') }}"><i class="fas fa-users"></i><br/>{{ _("For IdPs") }}</a>
+      </div>
+    </div>
+  </div>
+</div>
+{% endblock body_content %}
diff --git a/template/reclaim/motivation.html.j2 b/template/reclaim/motivation.html.j2
new file mode 100644
index 00000000..973fbddf
--- /dev/null
+++ b/template/reclaim/motivation.html.j2
@@ -0,0 +1,34 @@
+{% extends "common/base.j2" %}
+{% block body_content %}
+<div class="m-3">
+  <a class="mt-2 mb-2" href="{{ url_localized('reclaim/index.html') }}">reclaimID</a> / Motivation
+</div>
+<h2 class="text-center">{{ _("Motivation") }}</h2>
+<br/>
+<div class="container">
+<p>
+Today, users are often required to share personal data, like email addresses, to use services on the web. As part of normal service operation, such as notifications or billing, services require access to -- ideally fresh and correct -- user data.
+Sharing attributes in the Web today is often done via centralized service providers to reduce data redundancy and to give services access to current, up-to-date information even if the user is currently offline.
+Abuse of this power is theoretically limited by local laws and regulations.
+But, the past has shown that even well-meaning identity providers struggle to keep user data safe as they become major targets for hackers and nation state actors while striving for monetizing anonymized statistics from these data.
+We advocate for a new, decentralized way for users to manage their identities for the following reasons:
+</p>
+<ul class="fa-ul">
+  <li><i class="fa-li fas fa-caret-right"></i> The current state of omniscient identity providers is a significant threat to the users' privacy.</li>
+  <li><i class="fa-li fas fa-caret-right"></i> Users must completely trust the service provider with respect to protecting the integrity and confidentiality of their identity in their interest.</li>
+  <li><i class="fa-li fas fa-caret-right"></i> The service provider itself is facing substantial liability risks given the responsibility of securely managing potentially sensitive personal data of millions of users.</li>
+</ul>
+<p>re:claimID is built as a service on top of the peer-to-peer framework <a href="https://gnunet.org">GNUnet</a>.<br/>
+It emerged from research conducted by the research group "Secure
+Applications and Services" at the <a href="https://www.aisec.fraunhofer.de/de/fields-of-expertise/projekte/reclaim.html">Fraunhofer AISEC</a> research institute.<br/>
+A scientific, peer-reviewed paper on the theoretical foundations of re:claimID
+was published at <a href="https://ieeexplore.ieee.org/document/8456003">TrustCom 2018</a>
+(<a href="https://arxiv.org/abs/1805.06253v1">Arxiv</a>).<br/> re:claimID is
+primarily developed in the
+<a href="https://git.gnunet.org/gnunet.git/tree/src/reclaim">GNUnet source tree</a>.
+Accompanying tools and sources can be found in the
+<a href="https://gitlab.com/reclaimid">Gitlab project</a>.
+</p>
+</div>
+{% endblock body_content %}
diff --git a/template/reclaim/tech.html.j2 b/template/reclaim/tech.html.j2
new file mode 100644
index 00000000..41894e91
--- /dev/null
+++ b/template/reclaim/tech.html.j2
@@ -0,0 +1,115 @@
+{% extends "common/base.j2" %}
+{% block body_content %}
+<div class="m-3">
+  <a class="mt-2 mb-2" href="{{ url_localized('reclaim/index.html') }}">reclaimID</a> / Technology
+</div>
+<h2 class="text-center">{{ _("Overview") }}</h2>
+<div style="text-align:center">
+  <img style="width:75%" src="{{ url_static('images/reclaim/reclaim_eq.png') }}"/>
+</div>
+<br/>
+<div class="container">
+  <div class="row">
+    <div class="col-lg-6">
+      <h3>
+        {{ _("Decentralised identity directory") }}
+      </h3>
+      <p>
+      {% trans %}
+      The decentralised GNU Name System (GNS) gives users full and exclusive authority over their attributes by sharing them over user-owned namespaces.
+      {% endtrans %}
+      </p>
+    </div>
+    <div class="col-lg-6">
+      <div>
+        <h3>
+          {{ _("Cryptographic access control") }}
+        </h3>
+      </div>
+      <p>
+      {% trans %}
+Users regularly publish fresh, up-to-date attributes which can be retrieved and
+read only by authorized relying parties parties without direct user interaction -- even if the user is offline!
+      {% endtrans %}
+      </p>
+    </div>
+  </div>
+</div>
+<hr/>
+<h2 class="text-center">{{ _("Principles") }}</h2>
+<div class="container-fluid greybox">
+  <div class="container">
+    <div class="row">
+      <div class="col-lg-1"></div>
+      <div class="col-lg-6">
+        <section>
+        <h2>{{ _("Identity and attribute management") }}</h2>
+        <p>
+        {% trans %}
+      Users regularly publish fresh, up-to-date attributes which can be retrieved by requesting parties without direct user interaction -- even if the user is offline!
+      Access to attributes is controlled through an ecryption based access
+      control layer.
+        {% endtrans %}
+        </p>
+        </section>
+      </div>
+      <div class="col-lg-5 homepageicon">
+        <a href="{{ url_static('images/reclaim/Reclaim-2.png') }}"><img style="width:100%" src="{{ url_static('images/reclaim/Reclaim-2.png') }}"/></a>
+      </div>
+    </div>
+  </div>
+</div>
+<div class="container-fluid">
+  <div class="container">
+      <div class="row">
+      <div class="col-lg-5 homepageicon">
+        <a href="{{ url_static('images/reclaim/Reclaim-3.png') }}"><img style="width:100%" src="{{ url_static('images/reclaim/Reclaim-3.png') }}"/></a>
+      </div>
+      <div class="col-lg-6">
+      <section>
+        <h2>{{ _("Authorization") }}</h2>
+        <p>
+        {% trans %}
+        To access attributes, requesting parties request authorization from the
+        user thrugh the use of OpenID Connect.
+        If access is granted, the relying party is given the necessary decryption
+        key material.
+        The user may at any time revoke this access or modify the authorization decision.
+        {% endtrans %}
+        </p>
+      </section>
+    </div>
+  </div>
+</div>
+<div class="container-fluid greybox">
+  <div class="container">
+    <div class="row">
+      <div class="col-lg-1"></div>
+      <div class="col-lg-6">
+        <section>
+        <h2>{{ _("Attribute retrieval") }}</h2>
+        <p>
+        {% trans %}
+      Relying parties retrieve encrypted identity data from the decentralised
+      directory.
+      It is able to decrypt all those attributes that the user has authorized
+      it to access using the respective key.
+        {% endtrans %}
+        </p>
+        </section>
+      </div>
+      <div class="col-lg-5 homepageicon">
+        <a href="{{ url_static('images/reclaim/Reclaim-4.png') }}"><img style="width:100%" src="{{ url_static('images/reclaim/Reclaim-4.png') }}"/></a>
+      </div>
+    </div>
+  </div>
+</div>
+<hr/>
+<h2 style="text-align:center" class="mt-2">Videos and Talks</h2>
+<ul class="fa-ul">
+  <li><i class="fa-li fas fa-caret-right"></i> <a href="https://youtu.be/PlSX-o36Wus?t=5371">IETF Meeting #104; Privacy Enhancements and Assessments Research Group - March 2019</a> (<a href="https://git.gnunet.org/presentations.git/plain/IETF104/slides-104-pearg-reclaim-00.pdf">Slides</a>)</li>
+  <li><i class="fa-li fas fa-caret-right"></i> <a href="https://media.ccc.de/v/ds19-10383-re_claimid">Datenspuren 2019 - September 2019 (German)</a> (<a href="https://git.gnunet.org/presentations.git/plain/datenspuren2019/datenspuren2019.pdf">Slides</a>, English)</li>
+</ul>
+{% endblock body_content %}
diff --git a/template/reclaim/users.html.j2 b/template/reclaim/users.html.j2
new file mode 100644
index 00000000..8b78dc11
--- /dev/null
+++ b/template/reclaim/users.html.j2
@@ -0,0 +1,40 @@
+{% extends "common/base.j2" %}
+{% block body_content %}
+<div class="m-3">
+  <a class="mt-2 mb-2" href="{{ url_localized('reclaim/index.html') }}">reclaimID</a> / Users
+</div>
+<h2 class="text-center">{{ _("For users") }}</h2>
+<br/>
+<div class="container">
+  <h2><b>Step 1:</b> Installation</h2>
+  <p>
+    Please use the <a href="{{ url_localized('install.html') }}">GNUnet installation guides</a>.
+  </p>
+  <h2 class="mt-5"><b>Step 2:</b> Browser plugin</h2>
+  <p>You also need to install a browser plugin:</p>
+  <div class="centering">
+    <a class="btn btn-primary" target="_blank" rel="noopener noreferrer"
+                                               href="https://addons.mozilla.org/addon/reclaimid/"><i class="fab fa-firefox"></i> Mozilla Firefox</a>
+    <a class="btn btn-primary" target="_blank" rel="noopener noreferrer"
+                                               href="https://chrome.google.com/webstore/detail/reclaimid/jiogompmdejcnacmlnjhnaicgkefcfll"><i class="fab fa-chrome"></i> Chrome / Chromium</a>
+  </div>
+  <br/>
+  <h2 class="mt-5"><b>Step 3:</b> Creating your first identity</h2>
+  <p>Almost there. Now try adding a new identity at <a href="https://ui.reclaim">your local re:claimID instance</a> and add some attributes to it.
+  <br/>
+  <h2 class="mt-5">Websites supporting re:claimID</h2>
+  <p>To test a login with one of your re:claimID identities, you can go to one of the websites supporting it:</p>
+  <ul>
+    <li><a href="https://demo.reclaim-identity.io">Our demo messaging board</a> (<a href="https://gitlab.com/reclaimid/demo">Source</a>)</li>
+    <li><a href="https://eusec.clouditor.io">Clouditor EUSEC project page</a></li>
+  </ul>
+  <h2 class="mt-5">Troubleshooting</h2>
+  In case you encounter any problems, please check for <a href="https://bugs.gnunet.org">known issues and report bugs to help us improve re:claimID!</a>
+</div>
+{% endblock body_content %}
diff --git a/template/reclaim/websites.html.j2 b/template/reclaim/websites.html.j2
new file mode 100644
index 00000000..f4e7fec9
--- /dev/null
+++ b/template/reclaim/websites.html.j2
@@ -0,0 +1,45 @@
+{% extends "common/base.j2" %}
+{% block body_content %}
+<div class="m-3">
+  <a class="mt-2 mb-2" href="{{ url_localized('reclaim/index.html') }}">reclaimID</a> / Websites
+</div>
+<h2 class="text-center">{{ _("For websites") }}</h2>
+<div class="container">
+  <h2><b>Step 1:</b> Installation</h2>
+  <p>
+    Please use the <a href="{{ url_localized('install.html') }}">GNUnet installation guides</a>.
+  </p>
+  <h2 class="mt-5"><b>Step 2:</b> Registering an OpenID Connect client</h2>
+  <p>The easiest way to manage OpenID Connect client is through our CLI tool:</p>
+  <code class="block">$ gem install reclaim-oidc</code>
+  <p>To register an OpenID Connect client, execute:</p>
+  <code class="block">$ reclaim-oidc --add --client-name myclient --redirect-uri https://mywebsite.com/oidc_cb --description "My Client"</code>
+  <p>You can list all registered clients and your local OpenID Connect metadata required to initiate an authorization code flow by executing:</p>
+  <code class="block">$ reclaim-oidc --list </code>
+  <p>The response will look like this</p>
+  <code class="block">OpenID Connect Provider Information:<br/>
+  ------------------------------------<br/>
+  Authorize Endpoint: http://localhost:7776/openid/authorize<br/>
+  Token Endpoint: http://localhost:7776/openid/token<br/>
+  JSON-Web-Token Algorithm: HS512<br/>
+  JSON-Web-Token key: secret<br/>
+  Example Authorization Redirect:<br/>
+  https://api.reclaim/openid/authorize?client_id=&lt;client_id&gt;&amp;redirect_uri=&lt;redirect_uri&gt;&amp;response_type=code&amp;scope=email%20full_name&amp;nonce=1234<br/>
+  <br/>
+  Registered Clients:<br/>
+  -------------------<br/>
+  name: myclient<br/>
+  client_id: &lt;client_id&gt;<br/>
+  client_secret: &lt;client_secret&gt;<br/>
+  description: My Client<br/>
+  redirect_uri: https://mywebsite.com/oidc_cb<br/>
+  ...
+  </code>
+  <div class="alert alert-info"><b>NOTE</b>: The client secrets and JWT token signing keys can be configured. However, due to the fact that re:claimID endpoint are running on your local machine, they are not critical.</div>
+  <h2 class="mt-5"><b>Step 3:</b> Website integration</h2>
+  <p>You can use the information above to integrate re:claimID as a generic <a href="https://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect Identity Provider</a> into the web application of your choice. The integration steps for this part depend on the application you use. Hence, please refer to your respective documentation or the OpenID Connect specifications.
+  </p>
+  <p>The sources of our <a href="https://demo.reclaim-identity.io">demo website</a> can be found in our <a href="https://gitlab.com/reclaimid/demo">gitlab project</a>.</p>
+</div>
+{% endblock body_content %}