You can create as many different X.509 server- or S/MIME-certificates for a <name> as you want. Each one will have a unique RSA key-pair and the X.509 server- or S/MIME-certificate itself will be signed with the private key of the corresponding blockchain wallet. After creation you just install the server-certificates on your servers (e.g. Apache) and the S/MIME-certificates in your applications (e.g. Firefox). The X.509 server- or S/MIME-certificates are valid until "notAfter" expires or the <name> (e.g. identity|.bit-domain) is removed from the blockchain wallet. Removing the <name> from the blockchain wallet revokes ALL X.509 server- or S/MIME-certificates created for the <name>:<wallet> combination. If X.509 server- or S/MIME-certificates are compromised you revoke them by transferring the <name> to another wallet.
There are only two key pairs involved:
- X.509 server- or S/MIME-certificates: RSA key-pair to authenticate/exchange stream ciphers in applications
Blockchain: ECDSA wallet key-pair to sign the X.509 server- or S/MIME-certificates
The hierarchy:
Blockchain (replaces Certificate Authorities)
|
X.509 server- or S/MIME-certificates
biolizard89 wrote:Hmm.... how is key rotation handled? Let's say I want to change keys for whatever reason -- does that mean that under your scheme, I will have to change my server's TLS cert exactly when the blockchain adds the block with my name_update, or can I have more than one key at a time?
If you set the "notAfter"-value of the X.509 server- or S/MIME-certificates to e.g. 3 month + 2 weeks they will expire after 3 month + 2 weeks and you can add new X.509 server- or S/MIME-certificates to your applications every three month. That way the certificates will overlap for two weeks.
If you want to change the wallet keys you create the new X.509 server- or S/MIME-certificates signed with the private ECDSA key of a new wallet, install them into your applications and transfer the <name> to the new wallet. All certificates of the old <name>:<wallet>-combination are revoked automagically.
biolizard89 wrote:I assume you're aware that standard Namecoin addresses pay to a public key hash rather than a public key -- there's nothing preventing use of a public key in the blockchain, but it's not commonly done in Bitcoin or Namecoin (I suppose as long as the public key of the CA is revealed by the server's cert chain, this isn't actually an issue - just want to make sure you're taking this into consideration).
As long as a X.509-validator is somehow able to retrieve the public ECDSA key of the wallet from the blockchain everything is fine.
biolizard89 wrote:I would be worried about cross-protocol attacks as well, given that the same ECC key is signing both Namecoin transactions and X.509 certs.
It reduces complexity in applications and for users which increases security a lot (e.g. programming errors, misunderstanding of concept). In long term it may be reasonable to fork the monetary service and the authentication service into separate blockchains.
biolizard89 wrote:Other issue would be that a Namecoin d/ name can have multiple addresses associated with it -- the owner of the d/ name, the owners of any imported dd/ names, and (in the future) possibly the delegated renewal addresses of the d/ and dd/ names. What would be the mechanism of choosing which addresses are valid keys of the CA? Would it make sense to have a JSON field that contains a Namecoin name, which specifies which Namecoin name's pubkey is used for TLS? That shouldn't add much extra blockchain bloat, I think.
I think it's possible to sign a X.509-certificate with multiple private keys. The validator-specification has to be bijective about which wallets/namespaces supersede others (maybe even with timestamp-conditions for temporary owner-ship).