Re: [cryptography] DNSNMC replaces Certificate Authorities with Namecoin and fixes HTTPS security
On 12/21/2013 10:04 PM, Eduardo Robles Elvira wrote: The obvious problem with this is that namecoin doesn't have all the domain names already registered assigned to the current owners, and there's no arbitration authority that can prevent domain cibersquatting. This is not a weakness of namecoin, but a weakness of human readable names. Why does coke.ch lead to the website of the Coca Cola Company, and not an informational website on heroin addiction? Because someone at that company decided to cibersquat this domain. So I can register all the important domains: microsoft, ebay, google, nsa, whitehouse, They are only important if you value e-commerce, advertising and the US institutions more than the alternatives that could exist. The solution to this is that names should not claimed, they should be given by the community that values the association. Neither DNS nor namecoin allows for that, so both are inadequate. As an example, consider how Wikipedia pages are named: http://en.wikipedia.org/wiki/Coke This is painfully obvious, and yet we are mentally stuck in an authoritative model of naming. If the use of words (in spoken language) were assigned like this, we would hate it. Thanks, Marcus ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] DNSNMC replaces Certificate Authorities with Namecoin and fixes HTTPS security
That sounds a lot like my Web of Trust based DNS suggestion. Link: http://www.reddit.com/r/Meshnet/comments/o3wex/wotdns_web_of_trust_based_domain_name_system Domain names would not be globally unique, where they go would instead be based on each individual node's trust ranking for the site's node and for the nodes that has signed a vote for that domain name association. Communities could set a high level of trust to the same set of trusted people to make sure domain names used within the community goes to the same place for all the members. - Sent from my phone Den 22 dec 2013 10:45 skrev Marcus Brinkmann marcus.brinkm...@ruhr-uni-bochum.de: On 12/21/2013 10:04 PM, Eduardo Robles Elvira wrote: The obvious problem with this is that namecoin doesn't have all the domain names already registered assigned to the current owners, and there's no arbitration authority that can prevent domain cibersquatting. This is not a weakness of namecoin, but a weakness of human readable names. Why does coke.ch lead to the website of the Coca Cola Company, and not an informational website on heroin addiction? Because someone at that company decided to cibersquat this domain. So I can register all the important domains: microsoft, ebay, google, nsa, whitehouse, They are only important if you value e-commerce, advertising and the US institutions more than the alternatives that could exist. The solution to this is that names should not claimed, they should be given by the community that values the association. Neither DNS nor namecoin allows for that, so both are inadequate. As an example, consider how Wikipedia pages are named: http://en.wikipedia.org/wiki/Coke This is painfully obvious, and yet we are mentally stuck in an authoritative model of naming. If the use of words (in spoken language) were assigned like this, we would hate it. Thanks, Marcus ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] DNSNMC replaces Certificate Authorities with Namecoin and fixes HTTPS security
On 12/22/2013 12:58 PM, James A. Donald wrote: On 2013-12-22 19:44, Marcus Brinkmann wrote: The solution to this is that names should not claimed, they should be given by the community that values the association. Neither DNS nor namecoin allows for that, so both are inadequate. As an example, consider how Wikipedia pages are named: http://en.wikipedia.org/wiki/Coke Wikipedia does a pretty good job on naming. The names of Wikepedia articles are not politicized, but its articles are severely politicized, because they rely on Academia and the New York Times as final authority, and Academia and the New York Times is politicized. I agree, but who said there can only be one directory for names? If social groups disagree, they should each manage their own directory, With the right tools, we could stack directories. Most people will prefer the mainstream bourgeoisie naming directory, while many might choose to layer smaller special-interest directories on top of that. Extremist will maintain their own exclusive directories untainted by mainstream naming. And while you are at it, you can throw adblock in the mix, because manipulating DNS names (to point to /dev/null) is one of its tasks. If it was naming keys, so that various entities wanted each wanted their own key given a certain popular name, naming keys would also be politicized. Yes, we should have some social procedure for naming names, so that the the major influence is what other people call the key, rather than what the owner of the key wants to key to be called, but any such procedure will come under attack. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] DNSNMC replaces Certificate Authorities with Namecoin and fixes HTTPS security
Now there is an interesting idea. And we can refer to them as top level domains. Perhaps since people tend to gayer geographically we can make them geographically related. Say ca for Canada and de for Germany. Oh wait. On Sunday, December 22, 2013, Marcus Brinkmann wrote: On 12/22/2013 12:58 PM, James A. Donald wrote: On 2013-12-22 19:44, Marcus Brinkmann wrote: The solution to this is that names should not claimed, they should be given by the community that values the association. Neither DNS nor namecoin allows for that, so both are inadequate. As an example, consider how Wikipedia pages are named: http://en.wikipedia.org/wiki/ Coke Wikipedia does a pretty good job on naming. The names of Wikepedia articles are not politicized, but its articles are severely politicized, because they rely on Academia and the New York Times as final authority, and Academia and the New York Times is politicized. I agree, but who said there can only be one directory for names? If social groups disagree, they should each manage their own directory, With the right tools, we could stack directories. Most people will prefer the mainstream bourgeoisie naming directory, while many might choose to layer smaller special-interest directories on top of that. Extremist will maintain their own exclusive directories untainted by mainstream naming. And while you are at it, you can throw adblock in the mix, because manipulating DNS names (to point to /dev/null) is one of its tasks. If it was naming keys, so that various entities wanted each wanted their own key given a certain popular name, naming keys would also be politicized. Yes, we should have some social procedure for naming names, so that the the major influence is what other people call the key, rather than what the owner of the key wants to key to be called, but any such procedure will come under attack. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- Kelly John Rose Toronto, ON Phone: +1 647 638-4104 Twitter: @kjrose Skype: kjrose.pr Gtalk: i...@kjro.se MSN: m...@kjro.se Document contents are confidential between original recipients and sender. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] DNSNMC replaces Certificate Authorities with Namecoin and fixes HTTPS security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 21/12/13 20:49, Greg wrote: Hi list, DNSNMC fixes the authentication problems previously described, and it addresses all of the problems that with the previously mentioned proposals. It does this first by combining DNS with Namecoin (NMC), and then by encouraging a “trust only those you know” policy.5 “Namecoin is an open source decentralized key/value registration and transfer system based on Bitcoin technology”.[16] Namecoin “squares Zooko’s Triangle”, meaning, it makes it possible to have domain names (and other types of identifiers) that are: Authenticated: users can be certain that they are not speaking to an impostor Decentralized: there is no central authority controlling all the names Human-readable: names look just like today’s domain names However, by itself, Namecoin does not provide the means by which ordinary users can take advantage of the features it provides. Using Namecoin is far too cumbersome for the vast majority of internet users, even those with years of computer expertise. For one, it cannot be used on mobile devices (like iPhones) in its current state because of its network requirements. DNSNMC provides the missing “glue” to the Namecoin blockchain that makes it immediately accessible to clients of all types with zero configuration. A network administrator need only enter the IP address of a DNSNMC-compliant DNS server to instantly make the information within the blockchain accessible to all of the users that she (or he) provides internet access to. Paper: http://okturtles.com/other/dnsnmc_okturtles_overview.pdf Cheers, Greg Slepak Hello Greg: The obvious problem with this is that namecoin doesn't have all the domain names already registered assigned to the current owners, and there's no arbitration authority that can prevent domain cibersquatting. So I can register all the important domains: microsoft, ebay, google, nsa, whitehouse, you name it, and I will be the owner of them forever. What's worse, if the domain keys are lost, the domain name is lost too. There should be a procedure to fix all this in a reasonable manner. For example, if names in namecoin had to be renovated each year, lost or unused domains could be recovered. I don't see any simple way to solve domain name squatting without adding some trusted authority or some kind of cumbersome/impractical voting mechanism. For new projects, namecoin is more or less as viable as current DNS structure: when you are searching for a name, just check that it is available. But for existing websites, it would require some good luck. How would you do a smooth transition? Regards, Eduardo -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlK2AkMACgkQqrnAQZhRnarZDgEAsaB0O3+sV8FEvGkpPATOgWoN md6Wt6TYCdpZ2oUTdkABAI7+NaHF+t2e6cL6v5Jc8vEnfUMCgGTTdxHRBc2Jp9My =48ZL -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] DNSNMC replaces Certificate Authorities with Namecoin and fixes HTTPS security
This is my concern as well. Part of the current system is the cost of entry. If there is no central authority, and all people can simply create teh domains they want, then there will be the very serious issue of someone going to the microsoft in that domain name space and not getting microsoft, but getting an imposter. Or worse, someone going to Bank of America and getting an imposter. On Sat, Dec 21, 2013 at 4:04 PM, Eduardo Robles Elvira edu...@gmail.comwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 21/12/13 20:49, Greg wrote: Hi list, DNSNMC fixes the authentication problems previously described, and it addresses all of the problems that with the previously mentioned proposals. It does this first by combining DNS with Namecoin (NMC), and then by encouraging a “trust only those you know” policy.5 “Namecoin is an open source decentralized key/value registration and transfer system based on Bitcoin technology”.[16] Namecoin “squares Zooko’s Triangle”, meaning, it makes it possible to have domain names (and other types of identifiers) that are: Authenticated: users can be certain that they are not speaking to an impostor Decentralized: there is no central authority controlling all the names Human-readable: names look just like today’s domain names However, by itself, Namecoin does not provide the means by which ordinary users can take advantage of the features it provides. Using Namecoin is far too cumbersome for the vast majority of internet users, even those with years of computer expertise. For one, it cannot be used on mobile devices (like iPhones) in its current state because of its network requirements. DNSNMC provides the missing “glue” to the Namecoin blockchain that makes it immediately accessible to clients of all types with zero configuration. A network administrator need only enter the IP address of a DNSNMC-compliant DNS server to instantly make the information within the blockchain accessible to all of the users that she (or he) provides internet access to. Paper: http://okturtles.com/other/dnsnmc_okturtles_overview.pdf Cheers, Greg Slepak Hello Greg: The obvious problem with this is that namecoin doesn't have all the domain names already registered assigned to the current owners, and there's no arbitration authority that can prevent domain cibersquatting. So I can register all the important domains: microsoft, ebay, google, nsa, whitehouse, you name it, and I will be the owner of them forever. What's worse, if the domain keys are lost, the domain name is lost too. There should be a procedure to fix all this in a reasonable manner. For example, if names in namecoin had to be renovated each year, lost or unused domains could be recovered. I don't see any simple way to solve domain name squatting without adding some trusted authority or some kind of cumbersome/impractical voting mechanism. For new projects, namecoin is more or less as viable as current DNS structure: when you are searching for a name, just check that it is available. But for existing websites, it would require some good luck. How would you do a smooth transition? Regards, Eduardo -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlK2AkMACgkQqrnAQZhRnarZDgEAsaB0O3+sV8FEvGkpPATOgWoN md6Wt6TYCdpZ2oUTdkABAI7+NaHF+t2e6cL6v5Jc8vEnfUMCgGTTdxHRBc2Jp9My =48ZL -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- Kelly John Rose Toronto, ON Phone: +1 647 638-4104 Twitter: @kjrose Skype: kjrose.pr Gtalk: i...@kjro.se MSN: m...@kjro.se Document contents are confidential between original recipients and sender. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] DNSNMC replaces Certificate Authorities with Namecoin and fixes HTTPS security
On Dec 21, 2013, at 4:04 PM, Eduardo Robles Elvira edu...@gmail.com wrote: The obvious problem with this is that namecoin doesn't have all the domain names already registered assigned to the current owners, and there's no arbitration authority that can prevent domain cibersquatting. So I can register all the important domains: microsoft, ebay, google, nsa, whitehouse, you name it, and I will be the owner of them forever. What's worse, if the domain keys are lost, the domain name is lost too. Thank for the valuable feedback Eduardo! :-) This is indeed the most significant (and only) issue with transitioning the web to DNSNMC. Therefore we have proposed a solution to this on the Namecoin forums: Transitioning the web to Namecoin by addressing name-squatters: http://dot-bit.org/forum/viewtopic.php?f=5t=1439 Here's a copy/paste from that thread: The only criticism of relevance that I have received (so far) from those reviewing DNSNMC is that people do not like domain squatters and therefore do not want to switch to a system where all the existing trademarked and copyrighted names have already been registered: https://www.reddit.com/r/netsec/comments/1t20wi/therightkey_dnsnmc_deprecates_certificate/ce45865 http://lists.randombit.net/pipermail/cryptography/2013-December/005959.html http://lists.randombit.net/pipermail/cryptography/2013-December/005960.html I think this is one of the main things that is holding Namecoin back from widespread adoption, and therefore we must address this issue. Herein I propose a very simple method to address this problem: namecoind must be modified to give existing TLDs special treatment in a way that paves for a smooth transition from today's DNS, to a Namecoin-based DNS like DNSNMC. New namespaces will be created for each of today's TLDs, and only the owners of those domains (in the deprecated, old DNS system) can register them. For example, only the owners of apple.com can register com/apple, etc. Proof of ownership is done by special NMC DNS records that contain the owner's cryptographic signature/fingerprint. When Namecoin clients receive a notification that someone wants to register a domain in the com namespace, they check the JSON request to verify that it was signed by the same signature that appears in the old DNS records. If they match, the registration request is accepted and added to their local blockchain. If it does not match, the request is discarded. Similarly, the namecoin client itself will perform this check locally before sending out the request to other peers (to provide instant feedback to users attempting to register something that doesn't belong to them). Thoughts? Cheers! - Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Dec 21, 2013, at 4:04 PM, Eduardo Robles Elvira edu...@gmail.com wrote: Signed PGP part On 21/12/13 20:49, Greg wrote: Hi list, DNSNMC fixes the authentication problems previously described, and it addresses all of the problems that with the previously mentioned proposals. It does this first by combining DNS with Namecoin (NMC), and then by encouraging a “trust only those you know” policy.5 “Namecoin is an open source decentralized key/value registration and transfer system based on Bitcoin technology”.[16] Namecoin “squares Zooko’s Triangle”, meaning, it makes it possible to have domain names (and other types of identifiers) that are: Authenticated: users can be certain that they are not speaking to an impostor Decentralized: there is no central authority controlling all the names Human-readable: names look just like today’s domain names However, by itself, Namecoin does not provide the means by which ordinary users can take advantage of the features it provides. Using Namecoin is far too cumbersome for the vast majority of internet users, even those with years of computer expertise. For one, it cannot be used on mobile devices (like iPhones) in its current state because of its network requirements. DNSNMC provides the missing “glue” to the Namecoin blockchain that makes it immediately accessible to clients of all types with zero configuration. A network administrator need only enter the IP address of a DNSNMC-compliant DNS server to instantly make the information within the blockchain accessible to all of the users that she (or he) provides internet access to. Paper: http://okturtles.com/other/dnsnmc_okturtles_overview.pdf Cheers, Greg Slepak Hello Greg: The obvious problem with this is that namecoin doesn't have all the domain names already registered assigned to the current owners, and there's no arbitration authority that can prevent domain cibersquatting. So I can register all the important domains: microsoft, ebay, google, nsa, whitehouse, you name it, and I will be the owner of them forever. What's worse, if the domain keys are lost, the domain
Re: [cryptography] DNSNMC replaces Certificate Authorities with Namecoin and fixes HTTPS security
On 12/21/2013 6:38 PM, Kelly John Rose wrote: This is my concern as well. Part of the current system is the cost of entry. If there is no central authority, and all people can simply create teh domains they want, then there will be the very serious issue of someone going to the microsoft in that domain name space and not getting microsoft, but getting an imposter. Or worse, someone going to Bank of America and getting an imposter. On Sat, Dec 21, 2013 at 4:04 PM, Eduardo Robles Elvira edu...@gmail.com mailto:edu...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 21/12/13 20:49, Greg wrote: Hi list, DNSNMC fixes the authentication problems previously described, and it addresses all of the problems that with the previously mentioned proposals. It does this first by combining DNS with Namecoin (NMC), and then by encouraging a trust only those you know policy.5 Namecoin is an open source decentralized key/value registration and transfer system based on Bitcoin technology.[16] Namecoin squares Zooko's Triangle, meaning, it makes it possible to have domain names (and other types of identifiers) that are: Authenticated: users can be certain that they are not speaking to an impostor Decentralized: there is no central authority controlling all the names Human-readable: names look just like today's domain names However, by itself, Namecoin does not provide the means by which ordinary users can take advantage of the features it provides. Using Namecoin is far too cumbersome for the vast majority of internet users, even those with years of computer expertise. For one, it cannot be used on mobile devices (like iPhones) in its current state because of its network requirements. DNSNMC provides the missing glue to the Namecoin blockchain that makes it immediately accessible to clients of all types with zero configuration. A network administrator need only enter the IP address of a DNSNMC-compliant DNS server to instantly make the information within the blockchain accessible to all of the users that she (or he) provides internet access to. Paper: http://okturtles.com/other/dnsnmc_okturtles_overview.pdf Cheers, Greg Slepak Hello Greg: The obvious problem with this is that namecoin doesn't have all the domain names already registered assigned to the current owners, and there's no arbitration authority that can prevent domain cibersquatting. So I can register all the important domains: microsoft, ebay, google, nsa, whitehouse, you name it, and I will be the owner of them forever. What's worse, if the domain keys are lost, the domain name is lost too. There should be a procedure to fix all this in a reasonable manner. For example, if names in namecoin had to be renovated each year, lost or unused domains could be recovered. I don't see any simple way to solve domain name squatting without adding some trusted authority or some kind of cumbersome/impractical voting mechanism. For new projects, namecoin is more or less as viable as current DNS structure: when you are searching for a name, just check that it is available. But for existing websites, it would require some good luck. How would you do a smooth transition? Regards, Eduardo -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlK2AkMACgkQqrnAQZhRnarZDgEAsaB0O3+sV8FEvGkpPATOgWoN md6Wt6TYCdpZ2oUTdkABAI7+NaHF+t2e6cL6v5Jc8vEnfUMCgGTTdxHRBc2Jp9My =48ZL -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net mailto:cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- Kelly John Rose Toronto, ON Phone: +1 647 638-4104 Twitter: @kjrose Skype: kjrose.pr http://kjrose.pr Gtalk: i...@kjro.se mailto:i...@kjro.se MSN: m...@kjro.se mailto:m...@kjro.se Document contents are confidential between original recipients and sender. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography Yes indeed. I can hear the sounds of a squeaky *cough* backdoor. -- Kevin ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography