[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #17040 [Tor]: Blockchain as Root-CA for human-readable .onion domains
#17040: Blockchain as Root-CA for human-readable .onion domains
-------------------------+---------------------
Reporter: renne | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Tor | Version:
Keywords: | Actual Points:
Parent ID: | Points:
-------------------------+---------------------
The .onion domain has been officially approved as a special domain by the
IETF. :)
Onion domains are decentralized and secure inside the TOR network, but not
human-meaningful. Human brains have problems to remind and assign them to
services. This problem is called Zooko's triangle.
([https://en.wikipedia.org/wiki/Zooko's_triangle
https://en.wikipedia.org/wiki/Zooko's_triangle)]
The scandals in the last three years with certificate authorities issuing
not-validated certificates and intermediate-certificates or being hacked
have shown certificate authorities are not reliable which breaks security
of SSL/TLS.
The Namecoin project project has proven it's possible to solve Zooko's
triangle using a blockchain as distributed database to assign globally-
unique self-registered IDs of any format to an asymmetric key-pair of a
blockchain wallet. (https://wiki.namecoin.org/index.php?title=Identity)
So I suggest to use a blockchain as Root-CA.
How it can work:
Registering name/creating certificates:
1. User uses the TOR-client to create and save (e.g. paper-wallet) an
asymmetric wallet key-pair.
1. User uses the TOR-client to send a registration request for the tuple
<self-choosen ID>:<public asymmetric key> to the blockchain network
1. The nodes in the blockchain-network confirm the registration request
1. User uses the TOR-client to create X.509 server-certificates with the
Common Name '<self-choosen ID>.onion' signed with the <private asymmetric
key> of the blockchain wallet
1. TOR client uses the triple <self-choosen ID>:<public asymmetric
key>:<private asymmetric key> from the X.509-certificate to register a
hidden-service
Root-CA-lookup:
1. The TOR-client can use an overlay-filesystem to present the tuple
<self-choosen ID>:<public asymmetric key> from the blockchain as X.509
-root-certificate files in the SSL root-certificate-directory of the
operating system (e.g. /etc/ssl/certs on Linux).
2. Authentication applications (e.g. TLS/SSL) find the virtual X.509 root-
certficates in the filesystem like any other x.509-certificate.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17040>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs