I open this topic to discuss about this possibility, to see if and how it would be feasible and/or useful.
As it won't be possible to register those names in namecoin directly (because anybody could squat an existing domain), we will have to find a way to do the matching between an ICANN domain and an arbitrary namecoin record (with a TXT record and a signature in the ICANN zone for example).
Convergence would need be able to remember this matching (by caching it like it does for fingerprints ?) for performance reasons.
The debate is open :p
Add support to ICANN/IANA domains into Convergence ?
Add support to ICANN/IANA domains into Convergence ?
NamecoinID: id/khal
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
Re: Add support to ICANN/IANA domains into Convergence ?
So I'm a little unclear on what advantages this brings ... does it mean non ".bit" names can then use the self-signed TLS (nmcsec) biolizard has operational ... or something else also?
Re: Add support to ICANN/IANA domains into Convergence ?
You want to add Namecoin TLS support to ordinary domains? Good idea but how to make it secure?
How to make the connection from xkcd.com to the TLS record?
How to make the connection from xkcd.com to the TLS record?
Aha. Had not even known this was possible.khal wrote: As it won't be possible to register those names in namecoin directly (because anybody could squat an existing domain), we will have to find a way to do the matching between an ICANN domain and an arbitrary namecoin record (with a TXT record and a signature in the ICANN zone for example).
Just like normal DNS caching? Not sure if you mean the additional ICANNot info or the Namecoin record?Convergence would need be able to remember this matching (by caching it like it does for fingerprints ?) for performance reasons.
Re: Add support to ICANN/IANA domains into Convergence ?
Yes, my idea is to use nmcsec to also validate non .bit domains (using self-signed certs or not).moa wrote:So I'm a little unclear on what advantages this brings ... does it mean non ".bit" names can then use the self-signed TLS (nmcsec) biolizard has operational ... or something else also?
Not sure if possible/secure for now.
From previous discussions I had with biolizard, we arrived to the conclusion that it was not a good idea for security reasons to support certificate authorities for .bit domains (a certificate signed by another certificate in namecoin). Biolizard, if you remember why it would help this discussion :p
Yep.phelix wrote:You want to add Namecoin TLS support to ordinary domains? Good idea but how to make it secure?
How to make the connection from xkcd.com to the TLS record?
Here is how it could be done (only one way to do it I guess, maybe not a perfect one) :
1. Convergence receives a request for "http://dot-bit.org"
2. It then makes a DNS request to get the TXT records for dot-bit.org
3. If it contains a nmcsig and a namecoin name, verify it with namecoin (requires namecoin-qt in daemon mode or the future namecoin 0.8 :p) otherwise it'll process it the normal way
4. if the sig is correct, use the sha1 fingerprint of this namecoin name to check against the dot-bit.org certificate
5. the domain + the fingerprint is cached in Convergence (already working like that), so, next request will reuse this directly
Weak points :
- the DNS request for the TXT record is not secured => Convergence allows us to check the record against several notaries (not sure it really works like that, would need to be checked)
- what is the result if someone put the fingerprint of a CA in namecoin
- domain owner can't provide a valid certificate for people not using Convergence (but we could check the certificate of dot-bit.bit instead of dot-bit.org in the step 4 to provide a second certificate for Convergence, once the sig is verified)
- else ?
NamecoinID: id/khal
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: Add support to ICANN/IANA domains into Convergence ?
If I recall correctly, the problem with using CA's for .bit was that if the CA got compromised or was malicious, it could compromise a large number of .bit sites and the end user visiting the site would have no way to know that this was a risk.khal wrote:Yes, my idea is to use nmcsec to also validate non .bit domains (using self-signed certs or not).moa wrote:So I'm a little unclear on what advantages this brings ... does it mean non ".bit" names can then use the self-signed TLS (nmcsec) biolizard has operational ... or something else also?
Not sure if possible/secure for now.
From previous discussions I had with biolizard, we arrived to the conclusion that it was not a good idea for security reasons to support certificate authorities for .bit domains (a certificate signed by another certificate in namecoin). Biolizard, if you remember why it would help this discussion :p
If this proposal can be broken by DNS records being compromised, how is it superior to embedding TLS fingerprints in a DNSSEC record? I believe Chrome already has support for reading TLS fingerprints from DNSSEC. Maybe I'm just not understanding your proposal.khal wrote:Yep.phelix wrote:You want to add Namecoin TLS support to ordinary domains? Good idea but how to make it secure?
How to make the connection from xkcd.com to the TLS record?
Here is how it could be done (only one way to do it I guess, maybe not a perfect one) :
1. Convergence receives a request for "http://dot-bit.org"
2. It then makes a DNS request to get the TXT records for dot-bit.org
3. If it contains a nmcsig and a namecoin name, verify it with namecoin (requires namecoin-qt in daemon mode or the future namecoin 0.8 :p) otherwise it'll process it the normal way
4. if the sig is correct, use the sha1 fingerprint of this namecoin name to check against the dot-bit.org certificate
5. the domain + the fingerprint is cached in Convergence (already working like that), so, next request will reuse this directly
Weak points :
- the DNS request for the TXT record is not secured => Convergence allows us to check the record against several notaries (not sure it really works like that, would need to be checked)
- what is the result if someone put the fingerprint of a CA in namecoin
- domain owner can't provide a valid certificate for people not using Convergence (but we could check the certificate of dot-bit.bit instead of dot-bit.org in the step 4 to provide a second certificate for Convergence, once the sig is verified)
- else ?
Re: Add support to ICANN/IANA domains into Convergence ?
thisbiolizard89 wrote: [...]
If this proposal can be broken by DNS records being compromised, how is it superior to embedding TLS fingerprints in a DNSSEC record? I believe Chrome already has support for reading TLS fingerprints from DNSSEC. Maybe I'm just not understanding your proposal.
Re: Add support to ICANN/IANA domains into Convergence ?
Firefox is able to support self-signed certificates with fingerprints in a DNS record (TLSA) & DNSSEC, with a plugin :biolizard89 wrote: If this proposal can be broken by DNS records being compromised, how is it superior to embedding TLS fingerprints in a DNSSEC record? I believe Chrome already has support for reading TLS fingerprints from DNSSEC. Maybe I'm just not understanding your proposal.
https://os3sec.org/
This feature seems to have been removed from chrome :
https://www.imperialviolet.org/2011/06/ ... hrome.html
Most people don't use DNSSEC on their domains/browsers, so, thats why the Convergence plugin exists too (skipping CA is the other reason).
Of course, using notaries it not perfectly secure : if your whole internet connection is the under control of someone else, it's ended, if at least 1 dns server reply something different I guess Convergence will report an error. But, it can still be used as a less secure replacement for DNSSEC, particularly when there is no DNSSEC.
This does not mean that using DNSEC is a bad idea, of course, but for now, Convergence does not support it, and browsers don't support TLSA records natively (so, no auto-validated self-signed certificates).
An interesting work would be to merge the code of https://os3sec.org/ into Convergence, but this wouldn't solve any problem for domains not signed with DNSSEC.
From all the previous remarks/posts, I can deduce the following question :
* Would it be interesting to have this system for non .bit domains ?
- less secure than DNSSEC (using notaries) if Convergence does not support DNSSEC (the browser couldn't do a DNSSEC request first and if there is no TLSA record give the request to Convergence, so, this would break DNSSEC ? Does Convergence really works like that ?)
- as secure as DNSSEC if we add DNSSEC support to Convergence
- more secure if the domain/browser does not support DNSSEC (by using notaries instead of 1 DNS server & tls fingerprint in DNS records)
- that would allow to skip CA
- that would allow to use self-signed certificates
NamecoinID: id/khal
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent