[cryptography] DNSNMC replaces Certificate Authorities with Namecoin and fixes HTTPS security

Greg greg at kinostudios.com
Sat Dec 21 20:56:25 EST 2013


On Dec 21, 2013, at 4:04 PM, Eduardo Robles Elvira <edulix at gmail.com> wrote:

> 
> The obvious problem with this is that namecoin doesn't have all the
> domain names already registered assigned to the current owners, and
> there's no arbitration authority that can prevent domain cibersquatting.
> 
> So I can register all the important domains: microsoft, ebay, google,
> nsa, whitehouse, you name it, and I will be the owner of them forever.
> What's worse, if the domain keys are lost, the domain name is lost too.


Thank for the valuable feedback Eduardo! :-)

This is indeed the most significant (and only) issue with transitioning the web to DNSNMC.

Therefore we have proposed a solution to this on the Namecoin forums:

Transitioning the web to Namecoin by addressing name-squatters:
http://dot-bit.org/forum/viewtopic.php?f=5&t=1439

Here's a copy/paste from that thread:

The only criticism of relevance that I have received (so far) from those reviewing DNSNMC is that people do not like domain squatters and therefore do not want to switch to a system where all the existing trademarked and copyrighted names have already been registered:

https://www.reddit.com/r/netsec/comments/1t20wi/therightkey_dnsnmc_deprecates_certificate/ce45865
http://lists.randombit.net/pipermail/cryptography/2013-December/005959.html
http://lists.randombit.net/pipermail/cryptography/2013-December/005960.html

I think this is one of the main things that is holding Namecoin back from widespread adoption, and therefore we must address this issue.

Herein I propose a very simple method to address this problem:

namecoind must be modified to give existing TLDs special treatment in a way that paves for a smooth transition from today's DNS, to a Namecoin-based DNS like DNSNMC.

New namespaces will be created for each of today's TLDs, and only the owners of those domains (in the deprecated, old DNS system) can register them. For example, only the owners of apple.com can register com/apple, etc. Proof of ownership is done by special NMC DNS records that contain the owner's cryptographic signature/fingerprint. When Namecoin clients receive a notification that someone wants to register a domain in the com namespace, they check the JSON request to verify that it was signed by the same signature that appears in the old DNS records. If they match, the registration request is accepted and added to their local blockchain. If it does not match, the request is discarded. Similarly, the namecoin client itself will perform this check locally before sending out the request to other peers (to provide instant feedback to users attempting to register something that doesn't belong to them).

Thoughts?

Cheers!
- Greg

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

On Dec 21, 2013, at 4:04 PM, Eduardo Robles Elvira <edulix at gmail.com> wrote:

> Signed PGP part
> On 21/12/13 20:49, Greg wrote:
> > Hi list,
> >
> > DNSNMC fixes the authentication problems previously described, and
> > it addresses all of the problems that with the previously mentioned
> > proposals. It does this first by combining DNS with Namecoin (NMC),
> > and then by encouraging a “trust only those you know” policy.5
> >
> > “Namecoin is an open source decentralized key/value registration
> > and transfer system based on Bitcoin technology”.[16] Namecoin
> > “squares Zooko’s Triangle”, meaning, it makes it possible to have
> > domain names (and other types of identifiers) that are:
> >
> > Authenticated: users can be certain that they are not speaking to
> > an impostor
> >
> > Decentralized: there is no central authority controlling all the
> > names
> >
> > Human-readable: names look just like today’s domain names
> >
> > However, by itself, Namecoin does not provide the means by which
> > ordinary users can take advantage of the features it provides.
> > Using Namecoin is far too cumbersome for the vast majority of
> > internet users, even those with years of computer expertise. For
> > one, it cannot be used on mobile devices (like iPhones) in its
> > current state because of its network requirements.
> >
> > DNSNMC provides the missing “glue” to the Namecoin blockchain that
> > makes it immediately accessible to clients of all types with zero
> > configuration. A network administrator need only enter the IP
> > address of a DNSNMC-compliant DNS server to instantly make the
> > information within the blockchain accessible to all of the users
> > that she (or he) provides internet access to.
> >
> > Paper: http://okturtles.com/other/dnsnmc_okturtles_overview.pdf
> >
> > Cheers, Greg Slepak
> 
> Hello Greg:
> 
> The obvious problem with this is that namecoin doesn't have all the
> domain names already registered assigned to the current owners, and
> there's no arbitration authority that can prevent domain cibersquatting.
> 
> So I can register all the important domains: microsoft, ebay, google,
> nsa, whitehouse, you name it, and I will be the owner of them forever.
> What's worse, if the domain keys are lost, the domain name is lost too.
> 
> There should be a procedure to fix all this in a reasonable manner.
> For example, if names in namecoin had to be renovated each year, lost
> or unused domains could be recovered. I don't see any simple way to
> solve domain name squatting without adding some trusted authority or
> some kind of cumbersome/impractical voting mechanism.
> 
> For new projects, namecoin is more or less as viable as current DNS
> structure: when you are searching for a name, just check that it is
> available. But for existing websites, it would require some good luck.
> How would you do a smooth transition?
> 
> Regards,
> Eduardo
> 
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20131221/563890d9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20131221/563890d9/attachment-0001.asc>


More information about the cryptography mailing list