Currently the namecoin TLS spec is as follows:
Code: Select all
tls (http://dot-bit.org/Namespace:Domain_names_v2.0#TLS_support)
Specifies one or more certificate fingerprints and allow to enforce secured connections (see HSTS)
Allowed values :
- sha1 : upper or lower case, with or without ':'
- enforce : "self" (current FQDN) or "*" (all subdomains)
"tls": {
"sha1": ["15:91:52:97:10:88:CD:44:9C:F7:23:81:78:C3:50:3B:09:20:56:2A", "630884E279CB1107F1FB8A6B11A64D1B14763F8E"],
"enforce": "*"
}
* We are supporting the use of sha1, DANE rfc supports (entire certificate, sha256 and sha512)
* We do not specify the port of the connection, so we are unable to specify the hash/certificate for difference services
* We do not distinguish between protocol
* We are allowing the hash format to contain the ":" character
The two main things in the DANE spec that we probably shouldn't include/or do not need to are the usage and selector options.
We always do end entity certificate only matching, and we only check/hash the full certificate. I think this is the right way to do it.
So this is my proposal for changing the TLS spec:
Format:
Code: Select all
"tls": {
"protocol": {
port: [[matchtype, "matchvalue", includeSubdomains],[matchtype, "matchvalue", includeSubdomains]]
} {
port: [[matchtype, "matchvalue", includeSubdomains]]
}
}
Port:
Code: Select all
Decimal representation of the port number on which a TLS-based service is assumed to exist. The number has no leading zeros.
Code: Select all
Lower or uppercase string: tcp, udp, sctp
Code: Select all
0: Exact match (the entire certificate)
1: SHA-256
2: SHA-512
Code: Select all
The hash or certificate in hex without any delimiters, as a string in hex digits.
Code: Select all
0: do not enforce this rule for subdomains
1: enforce this rule for subdomains
The includeSubdomains rule cannot be revoked by a subdomains that turn it off.
Code: Select all
"tls": {
"tcp": {
443: [[1, "660008F91C07DCF9058CDD5AD2BAF6CC9EAE0F912B8B54744CB7643D7621B787", 1]]
} {
25: [[1, "660008F91C07DCF9058CDD5AD2BAF6CC9EAE0F912B8B54744CB7643D7621B787", 1]]
}
}
Additionally we should make it implied that http traffic is encrypted. Tools such as the namecoin convergence plugin will assume that https traffic to .bit domains has a tls fingerprint, and if it does not, serves a error message to the user about the problem with the connection, with the possibility to bypass it.