Bitcoin Forum
December 03, 2016, 09:43:55 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Namecoin SSL/TSL  (Read 1926 times)
freeloader247
Jr. Member
*
Offline Offline

Activity: 34


View Profile
June 30, 2011, 05:36:53 AM
 #1

I originally posted this in http://forum.bitcoin.org/index.php?topic=6017.360 but it was getting to messy over there so I decided to give it it's own thread.

Freeloader247:
Quote
While were in development stage lets solve some more problems, like the removal of ssl certificate authority! How about when you register a domain you get a private and a public key for it, then when you go to a website you browser asks namecoin for the public key for that domain, and then a secure connection is established. This system can be implemented into the existing ssl standard. What do you guys think?

noone:
Quote
Very interesting idea ... I'm listening. Sounds almost too simple (i.e.too good to be true) could be brilliant. Flesh it out some more.

Would greatly increase potential benefits of namecoins if we could do away with those lecherous certificate "authorities

DavinciJ15:
Quote
I just stumbled on to namecoin and I am shocked it does not work this way already!  You own the domain via private key, logic would dictate you would not need ssl certs.

noone:
Quote
Hmmm ... looks like you maybe able to do TLS using a ECDH_ECDSA (or ECDHE_ECDSA) scheme with the namecoin secp256k1 private key ...
http://www.faqs.org/rfcs/rfc4492.html
ironically ".... The NamedCurve name space is maintained by IANA...." (secp256k1 is a "NamedCurve", amongst many others)

DavinciJ15:
Quote
This is how I would of assumed SSL would work with the new TLD...

Well as you do know the wallet is a private key like an SSL cert and I don't know how it stores who has what domain but I would assume it based on a public key created by your wallet.  Naturally you would NOT want use your wallet as SSL Cert, thus why not have a encrypted private key stored with your domain name that is your certificate.  If someone steels that private key it's not big deal you create an new one and store it in the block chain using your wallet key.

That just seemed logical to me.

I just started reading about namecoin last night so I may be wrong about how it works.

1A4vZMZfJuvBScqVmRyDZ8PsBqq5WQ54Qp
"Governments are good at cutting off the heads of a centrally controlled networks like Napster, but pure P2P networks like Gnutella and Tor seem to be holding their own." -- Satoshi
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480758235
Hero Member
*
Offline Offline

Posts: 1480758235

View Profile Personal Message (Offline)

Ignore
1480758235
Reply with quote  #2

1480758235
Report to moderator
1480758235
Hero Member
*
Offline Offline

Posts: 1480758235

View Profile Personal Message (Offline)

Ignore
1480758235
Reply with quote  #2

1480758235
Report to moderator
1480758235
Hero Member
*
Offline Offline

Posts: 1480758235

View Profile Personal Message (Offline)

Ignore
1480758235
Reply with quote  #2

1480758235
Report to moderator
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 2086



View Profile
June 30, 2011, 09:11:05 AM
 #2


Following ... maybe rename title "Namecoin SSL/TLS" ... (in reference to RFC above.)?

talpan
Full Member
***
Offline Offline

Activity: 228


View Profile
July 07, 2011, 08:53:29 AM
 #3

I'm following this thread, I'm very interested in Namecoin.
Metal
Newbie
*
Offline Offline

Activity: 16


View Profile
July 25, 2011, 01:39:52 AM
 #4

FYI, Namecoin's domain spec ( http://dot-bit.org/Domain_names#TLS_support ) has something about SSL/TLS support.

Additionally, I'm putting some code together to implement the "fingerprint" field at https://github.com/itsnotlupus/nmcsocks

The general idea is to require .bit domains to use self-signed certs for SSL, and have a local namecoin client act as a man in the middle, verify that the self-signed certs' fingerprint matches the fingerprints found in the namecoin record for the same domain, and rephrase the SSL connection to the browser to appear to use a certificate signed by a "central" namecoin authority (a locally generated CA cert the user has to install in their browser.)

That's not exactly the same implementation as what freeloader247 suggested, but the end result is similar in that you're eliminating yet another central authority when interacting with namecoin domains.
As a bonus, browsers don't need to be tweaked beyond adding a new certificate authority in their browser and using a local namecoin proxy, and certificates can be created/updated/managed at will, as long as their fingerprint is present in the necessary namecoin record.

As an aside, the namecoin fingerprint field could also be used to validate other keys sent by a host to authenticate itself, SSH coming to mind here.

*edit: I just noticed this is almost exactly what da2ce7 proposed in a post from last December:
Since the domains all have fingerprints of their TLS certificates, when one connects to a server defined by a BitDNS record and the server replys with a secure connection, the client can check if the secure connection is valid, not by using a CA, but rather cross-referencing it with the fingerprint included in the block chain.  Man-In-The-Middle attacks are very, very, very difficult under this system.
Jine
Sr. Member
****
Offline Offline

Activity: 405


View Profile
July 25, 2011, 03:31:46 PM
 #5

Let me get this straight - you're trying to do a "new" implementation of DNSSEC?

Previous founder of Bit LC Inc. | I've always loved the idea of bitcoin.
Metal
Newbie
*
Offline Offline

Activity: 16


View Profile
July 25, 2011, 06:39:13 PM
 #6

Let me get this straight - you're trying to do a "new" implementation of DNSSEC?

In the same way one could call Namecoin a "new" implementation of DNS, I suppose.

I'd like to think Namecoin is sufficiently different and unique to justify its existence.
With that said, the feature overlap between Namecoin and DNS/DNSSEC is not coincidental.

Unlike DNSSEC however, Namecoin is completely decentralized.
You can use TLS connections with namecoin domains without depending on anyone's authoritah.
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 2086



View Profile
July 25, 2011, 09:02:36 PM
 #7

Let me get this straight - you're trying to do a "new" implementation of DNSSEC?

Interesting that you should bring up DNSSEC specifically since that is the technology some nutcase government is looking at for legislative attention.

I think the possibilities for the transport layer security is what is going to make namecoin a big winner. Form follows function.

The current centralised model of DNS is what has made DNSSEC dev. such a nightmare for end-to-end securing.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!