commit 495b02b508e08477eb8e2aaa06fdbd0ea92ecfee
parent 91d8559eb5b5202fa7ba0e755511ac66c0710261
Author: Martin Schanzenbach <mschanzenbach@posteo.de>
Date: Sun, 6 Sep 2020 10:51:46 +0200
more
Diffstat:
1 file changed, 32 insertions(+), 18 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -136,14 +136,21 @@
A zone in GNS is defined by a public/private key pair (d,zk),
where d is the private key and zk the corresponding public key.
The contents of a zone are cryptographically signed before
- publishing. Instead of the zone private key "d", the signature MUST
+ being published a Distributed Hash Table (DHT).
+ Records are grouped by their label and encrypted (<xref target="recordencryption"/>)
+ using an encryption key derived from the label and the zone public key.
+ Instead of the zone private key "d", the signature MUST
be created using a blinded public/private key pair d' and zk'.
This blinding is realized using a Hierarchical Deterministic Key
Derivation (HDKD) scheme.
- Such a scheme allows the zone owner to derivate a private d' and a
+ Such a scheme allows the zone owner to derive a private d' and a
resolver to derive the corresponding public key zk' in a deterministic
manner from the original public and private zone keys as well as a
- label.
+ label. This feature prevents zone enumeration and requires knowledge
+ of both "zk" and the queried label to confirm affiliation with a
+ specific zone. At the same time, the blinded "zk'" provides nodes
+ with the ability to verifiy the integrity of the published information
+ without disclosing the originating zone.
</t>
<t>
The following primitives define a zone in GNS:
@@ -177,12 +184,14 @@
is a HDKD function which blinds a public zone key "zk" of the
respective type.
</dd>
- <dt>TLD(zk) -> zkl</dt>
+ <dt>NameSuffix(ztype, zk) -> zkl</dt>
<dd>
is a function which defines a mapping from zone public key to
a string "zkl" of the respective type.
- It is string which encodes the "ztype" as well as the zone
- key "zk" into one or more labels.
+ It is a string which encodes the "ztype" as well as the zone
+ key "zk" into one or more labels. The "zkl" is used as a
+ globally unique reference to a specific namespace in the
+ process of name resolution.
</dd>
</dl>
<t>
@@ -763,7 +772,7 @@ q := SHA512 (HDKD-Public(zk, label))
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| ZONE TYPE | PUBLIC ZONE KEY |
-+-----+-----+-----+-----+ |
++-----+-----+-----+-----+ (BLINDED) |
/ /
/ /
| |
@@ -784,12 +793,17 @@ q := SHA512 (HDKD-Public(zk, label))
<dd>
The signature is computed over the data following
the PUBLIC KEY field.
- The signature is created using the derived private key "d'" (see
- <xref target="zone_types" />).
+ The signature is created using the derived private key
+ "HDKD-Private(d, label)" (see <xref target="zone_types" />).
</dd>
- <dt>PUBLIC KEY</dt>
+ <dt>ZONE TYPE</dt>
+ <dd>
+ is the 32-bit zone type.
+ </dd>
+ <dt>ZONE PUBLIC KEY</dt>
<dd>
- is the public key "zk'" to be used to verify SIGNATURE.
+ is the blinded public zone key "HDKD-Public(zk, label)"
+ to be used to verify SIGNATURE.
</dd>
<dt>SIZE</dt>
<dd>
@@ -1512,15 +1526,15 @@ NICK: john (Supplemental)
particular application requires a different process.
</t>
<t>
- GNS clients SHOULD first try to interpret the top-level domain of
- a GNS name as a zone key.
- For example. if the top-level domain is a label representation of
- a public zone key "zkl", the root zone of the resolution process
- is implicitly given by the name:
+ GNS clients MUST first try to interpret the top-level domain of
+ a GNS name as a zone key representation "zkl := NameSuffix(ztype, zk)".
+ If the top-level domain is indicated to be a label representation of
+ a public zone key with a well-defined "ztype" value, the root zone of
+ the resolution process is implicitly given by the suffic of the name:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-Example name: www.example.<zkl>
-=> Root zone: zk
+Example name: www.example.<NameSuffix(ztype, zk)>
+=> Root zone: zk of type ztype
=> Name to resolve from root zone: www.example
]]></artwork>
<t>
