Upstream Convergence (UC for brevity) relies on third-party notaries, does it not? That's what it says after all: "Each notary can only make security decisions for the clients that have chosen to trust it"biolizard89 wrote:Upstream Convergence uses a locally generated CA cert to make verified certs appear legitimate to Firefox
So to my ear it is exactly as I said: clients use these notaries in a manner similar to "third-party DNS servers" that they trust.
Unless I'm missing something obvious, it would provide fantastic security, and would have the option of providing the security that you're looking for as well. Nothing would stop you from "running a local notary" yourself (i.e. having namecoind in the background), just like I run a local DNS server on my machine.biolizard89 wrote:Convergence for Namecoin does not use notaries; it uses nmcontrol as its verification source for .bit domains. [..snipped from above..] Convergence for Namecoin uses this code to make nmcontrol-verified certs work in Firefox without showing warnings. Trusting notaries is not involved in using Convergence for Namecoin, and I would not endorse any security model which requires doing so.
For those who either don't want (most people) or can't (mobile users) run namecoind in the background, they just put in the IP address of the DNSNMC server that they trust, and everything works beautifully.
It doesn't matter whether you endorse this or not, because as I understand your system (simply running nmcd yourself), you don't provide much meaningful extra security than a trustyworthy pinned-cert DNSNMC would, and on top of it, you provide literally zero protection to clients who cannot run your system (whether it's because they're using a mobile device, or a browser that doesn't support your extension, like Chrome). That amounts to the vast majority of internet users.