[tor-bugs] #17040 [Tor]: Blockchain as Root-CA for human-readable .onion domains

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Sep 11 10:28:46 UTC 2015 

#17040: Blockchain as Root-CA for human-readable .onion domains
-------------------------+---------------------
 Reporter:  renne        |          Owner:
     Type:  enhancement  |         Status:  new
 Priority:  normal       |      Milestone:
Component:  Tor          |        Version:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
-------------------------+---------------------
 The .onion domain has been officially approved as a special domain by the
 IETF. :)

 Onion domains are decentralized and secure inside the TOR network, but not
 human-meaningful. Human brains have problems to remind and assign them to
 services. This problem is called Zooko's triangle.
 ([https://en.wikipedia.org/wiki/Zooko's_triangle
 https://en.wikipedia.org/wiki/Zooko's_triangle)]
 The scandals in the last three years with certificate authorities issuing
 not-validated certificates and intermediate-certificates or being hacked
 have shown certificate authorities are not reliable which breaks security
 of SSL/TLS.

 The Namecoin project project has proven it's possible to solve Zooko's
 triangle using a blockchain as distributed database to assign globally-
 unique self-registered IDs of any format to an asymmetric key-pair of a
 blockchain wallet. (https://wiki.namecoin.org/index.php?title=Identity)

 So I suggest to use a blockchain as Root-CA.

 How it can work:

 Registering name/creating certificates:

  1. User uses the TOR-client to create and save (e.g. paper-wallet) an
 asymmetric wallet key-pair.
  1. User uses the TOR-client to send a registration request for the tuple
 <self-choosen ID>:<public asymmetric key> to the blockchain network
  1. The nodes in the blockchain-network confirm the registration request
  1. User uses the TOR-client to create X.509 server-certificates with the
 Common Name '<self-choosen ID>.onion' signed with the <private asymmetric
 key> of the blockchain wallet
  1. TOR client uses the triple <self-choosen ID>:<public asymmetric
 key>:<private asymmetric key> from the X.509-certificate to register a
 hidden-service

 Root-CA-lookup:

 1. The TOR-client can use an overlay-filesystem to present the tuple
 <self-choosen ID>:<public asymmetric key> from the blockchain as X.509
 -root-certificate files in the SSL root-certificate-directory of the
 operating system (e.g. /etc/ssl/certs on Linux).

 2. Authentication applications (e.g. TLS/SSL) find the virtual X.509 root-
 certficates in the filesystem like any other x.509-certificate.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17040>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list