Namecoin as Root-CA for .bit-domains/identities
Posted: Fri Sep 11, 2015 11:14 am
The scandals in the last three years with certificate authorities issuing non-validated certificates and intermediate-certificates or being hacked have shown certificate authorities are not reliable which breaks security of SSL/TLS. CAs do not issue certificates for .bit-domains.
So I suggest to use a blockchain as Root-CA.
How it can work:
Registering name/creating certificates:
1. User uses the Namecoin-client to create and save (e.g. paper-wallet) a Namecoin wallet.
2. User uses the Namecoin-client to register one or more .bit-names/identities per wallet
3. User uses the Namecoin-client to create an X.509 server-certificate (.bit-name) or X.509 S/MIME-certificate (identity) signed with the wallet keys.
Root-CA-lookup:
1.) The Namecoin-client can use an overlay-filesystem to present the tuple <identity|.bit-name>:<public asymmetric key> from the blockchain as virtual X.509-root-certificate files in the SSL root-certificate-directory of the operating system (e.g. /etc/ssl/certs on Linux).
2.) Authentication applications (e.g. TLS/SSL) find the virtual X.509 root-certficates in the filesystem like any other x.509-certificate.
P.S.: I've created a TOR-ticket to use a blockchain to create .onion-domains. Please support the TOR-ticket!
So I suggest to use a blockchain as Root-CA.
How it can work:
Registering name/creating certificates:
1. User uses the Namecoin-client to create and save (e.g. paper-wallet) a Namecoin wallet.
2. User uses the Namecoin-client to register one or more .bit-names/identities per wallet
3. User uses the Namecoin-client to create an X.509 server-certificate (.bit-name) or X.509 S/MIME-certificate (identity) signed with the wallet keys.
Root-CA-lookup:
1.) The Namecoin-client can use an overlay-filesystem to present the tuple <identity|.bit-name>:<public asymmetric key> from the blockchain as virtual X.509-root-certificate files in the SSL root-certificate-directory of the operating system (e.g. /etc/ssl/certs on Linux).
2.) Authentication applications (e.g. TLS/SSL) find the virtual X.509 root-certficates in the filesystem like any other x.509-certificate.
P.S.: I've created a TOR-ticket to use a blockchain to create .onion-domains. Please support the TOR-ticket!