commit 58d255d00384b43f2215f2cc4c45a2e85610cb5b
parent 5406ef80bcc7af7c3cd599fd344fa15336d0c8e3
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 16 Feb 2022 18:53:09 +0100
ise attempt to improve sign descriptions
Diffstat:
1 file changed, 24 insertions(+), 11 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -137,7 +137,7 @@
<xref target="RFC8324"/>.
GNS can bind names to any kind of
cryptographically secured token, enabling it to double in some respects as
- even as an alternative to some of today’s Public Key Infrastructures, in
+ an alternative to some of today’s Public Key Infrastructures, in
particular X.509 for the Web.
</t>
<t>
@@ -294,7 +294,7 @@
to its immediate parent zone. In
order to support (legacy) applications as well as to facilitate the use
of petnames, GNS defines auxiliary record types in addition to
- supporting traditional DNS records.
+ supporting existing DNS records.
</t>
<t>
Zone contents are encrypted and signed
@@ -409,21 +409,34 @@
data based on key material derived from the zone key,
a label, and an expiration timestamp.
</dd>
- <dt>Sign(d,message) -> signature, SignDerived(d,label,message) -> signature</dt>
+ <dt>Sign(d,message) -> signature</dt>
<dd>
- is a function to sign a message (typically encrypted record data) using the (blinded) private
- key d (d'), yielding an unforgeable cryptographic signature.
+ is a function to sign a message (typically encrypted record data) using the private
+ key d, yielding an unforgeable cryptographic signature.
In order to leverage performance-enhancing caching features of certain
underlying storages, in particular DHTs, a deterministic signature
scheme is recommended.
</dd>
- <dt>Verify(zk,message,signature) -> boolean, VerifyDerived(zk,label,message,signature) -> boolean</dt>
+ <dt>Verify(zk,message,signature) -> boolean</dt>
<dd>
- is a function to verify the signature was created by
- the private key d (or derived key d') corresponding to
- the zone key zk (or derived zone key zk')
- where d,zk := Keygen(). If derivations were used, they
- must have used the same label.
+ is a function to verify the signature was created using
+ the private key d corresponding to the zone key zk
+ where d,zk := Keygen().
+ The function returns a boolean value of "TRUE" if the signature is valid,
+ and otherwise "FALSE".
+ </dd>
+ <dt>SignDerived(d,label,message) -> signature</dt>
+ <dd>
+ is a function to sign a message (typically encrypted record data) that
+ can be verified using the derived zone key zk' := ZKDF-Public(zk,label).
+ In order to leverage performance-enhancing caching features of certain
+ underlying storages, in particular DHTs, a deterministic signature
+ scheme is recommended.
+ </dd>
+ <dt>VerifyDerived(zk,label,message,signature) -> boolean</dt>
+ <dd>
+ is function to verify the signature using the derived zone key
+ zk' := ZKDF-Public(zk,label).
The function returns a boolean value of "TRUE" if the signature is valid,
and otherwise "FALSE".
</dd>
