If I need to go to example.com before I can find Alice's key, doesn't that imply that a hacked or malicious example.com could redirect me to a different signature of "
alice@example.com", thus circumventing the protection ?
You're right, it wouldn't work. I was wrongly assuming that sites can only have one SSL certificate issued to them by a CA at one time, and that any one could query the CAs for all of the expired/revoked certificates of a particular site. That's not how it works. A site can have multiple valid certificates, and you can only get information on a certificate that they present to you.
With namecoin I believe it would be possible though. Here's how it would work:
* A relay server registers example.bit in the namecoin block-chain.
* When Alice is registering the
alice@example.bit user account, the relay server creates a digital signature for "
alice@example.bit" using the privkey portion of the namecoin ECDSA key pair that the example.bit domain is registered at, sends it to Alice through a secure channel, and requires her to create a bitcoin transaction with two outputs, one sending a bitcent/satoshi/etc to base58(ripemd160(example.bit-signature("
alice@example.bit") +checksum), and one sending a bitcent/satoshi/etc to base58(ripemd160("
alice@example.bit" +checksum), in order to complete registration of her user account
* When Bob wants to make a payment to
alice@example.bit, he scans the bitcoin block-chain for the earliest spend to the base58(ripemd160("
alice@example.bit" +checksum) address. The receiving address of the other output in the transaction would be the base58(ripemd160(example.com-signature("
alice@example.bit") +checksum)
* He asks the owner of example.bit for the pubkey that hashes to the namecoin address that example.bit was registered at at the time that the spend to the base58(ripemd160("
alice@example.bit" +checksum) address took place, and a signature of "
alice@example.bit" made by the pubkey's corresponding privkey.
* He verifies that the pubkey provided by example.bit hashes to the namecoin address that example.bit was registered at at the time of the spend, and verifies that the signature was made by the privkey that corresponds to that public key.
* If Bob has verified that the owners of example.bit have given him the correct pubkey and signature, but the receiving address of the other output doesn't match base58(ripemd160(example.com-signature("
alice@example.bit") +checksum), then Bob ignores that spend and scans the bitcoin blockchain for the next earliest spend to the base58(ripemd160("
alice@example.bit" +checksum) address. He continues the process until he finds a spend where the receiving address of the other output matches the hash of the signature of "
alice@example.bit" made by the privkey corresponding to the pubkey that hashes to the namecoin address that example.bit was registered at at the time of the spend.
This would prevent an attacker from making any user accounts of a particular domain unavailable without the cooperation of the domain owner, while not allowing a MITM attack by the domain owner.
BTW, There seem to be at least two similar but-incompatible schemes for doing what I proposed in the first post. Here I was thinking I am being original :
Your scheme is original in requiring every input to a base58 hash be spent to a different and never used base58 hash, which would prevent an outsider from deducing any information about the participants of transactions.