aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMartin Schanzenbach <schanzen@gnunet.org>2021-12-21 16:25:51 +0100
committerMartin Schanzenbach <schanzen@gnunet.org>2021-12-21 16:25:51 +0100
commite05b093608f7af0192c3727538ccab7647b916c8 (patch)
treee78590892245edec708e92bdd5fa8fd925ef8e7d
parent6700414feb683725d184dbfc77be1972bc8d3cac (diff)
downloadlsd0001-e05b093608f7af0192c3727538ccab7647b916c8.tar.gz
lsd0001-e05b093608f7af0192c3727538ccab7647b916c8.zip
move revocation
Diffstat
-rw-r--r--draft-schanzen-gns.xml483
1 files changed, 242 insertions, 241 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index ff6e2b2..641894b 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -1309,6 +1309,248 @@ q := SHA512 (HDKD-Public(zk, label))
1309 </dl> 1309 </dl>
1310 </section> 1310 </section>
1311 </section> 1311 </section>
1312 <section anchor="revocation" numbered="true" toc="default">
1313 <name>Zone Revocation</name>
1314 <t>
1315 Whenever a recursive resolver encounters a new GNS zone, it MUST
1316 check against the local revocation list whether the respective
1317 zone key has been revoked. If the zone key was revoked, the
1318 resolution MUST fail with an empty result set.
1319 </t>
1320 <t>
1321 In order to revoke a zone key, a signed revocation object MUST be
1322 published.
1323 This object MUST be signed using the private zone key.
1324 The revocation object is flooded in the overlay network. To prevent
1325 flooding attacks, the revocation message MUST contain a proof of work
1326 (PoW).
1327 The revocation message including the PoW MAY be calculated
1328 ahead of time to support timely revocation.
1329 </t>
1330 <t>
1331 For all occurences below, "Argon2id" is the Password-based Key
1332 Derivation Function as defined in <xref target="RFC9106" />. For the
1333 PoW calculations the algorithm is instantiated with the
1334 following parameters:
1335 </t>
1336 <dl>
1337 <dt>S</dt>
1338 <dd>The salt. Fixed 16-byte string: "GnsRevocationPow".</dd>
1339 <dt>t</dt>
1340 <dd>Number of iterations: 3</dd>
1341 <dt>m</dt>
1342 <dd>Memory size in KiB: 1024</dd>
1343 <dt>T</dt>
1344 <dd>Output length of hash in bytes: 64</dd>
1345 <dt>p</dt>
1346 <dd>Parallelization parameter: 1</dd>
1347 <dt>v</dt>
1348 <dd>Algorithm version: 0x13</dd>
1349 <dt>y</dt>
1350 <dd>Algorithm type (Argon2id): 2</dd>
1351 <dt>X</dt><dd>Unused</dd>
1352 <dt>K</dt><dd>Unused</dd>
1353 </dl>
1354 <t>
1355 <xref target="figure_revocation"/> illustrates the wire format
1356 of the message string "P" on which the PoW is calculated.
1357 </t>
1358 <figure anchor="figure_revocation">
1359 <artwork name="" type="" align="left" alt=""><![CDATA[
13600 8 16 24 32 40 48 56
1361+-----+-----+-----+-----+-----+-----+-----+-----+
1362| POW |
1363+-----------------------------------------------+
1364| TIMESTAMP |
1365+-----------------------------------------------+
1366| ZONE TYPE | PUBLIC ZONE KEY |
1367+-----+-----+-----+-----+ |
1368/ /
1369/ /
1370+-----+-----+-----+-----+-----+-----+-----+-----+
1371 ]]></artwork>
1372 </figure>
1373 <t>The Wire Format of the PoW Message String.</t>
1374 <dl>
1375 <dt>POW</dt>
1376 <dd>
1377 A 64-bit solution to the PoW. In network byte order.
1378 </dd>
1379 <dt>TIMESTAMP</dt>
1380 <dd>
1381 denotes the absolute 64-bit date when the revocation was computed.
1382 In microseconds since midnight (0 hour), January 1, 1970 in network
1383 byte order.
1384 </dd>
1385 <dt>PUBLIC KEY</dt>
1386 <dd>
1387 is the 256-bit public key zk of the zone which is being revoked and
1388 the key to be used to verify SIGNATURE. The
1389 wire format of this value is defined in <xref target="RFC8032" />,
1390 Section 5.1.5.
1391 </dd>
1392 </dl>
1393 <t>
1394 Traditionally, PoW schemes require to find a POW such that
1395 at least D leading zeroes are found in the hash result.
1396 D is then referred to as the difficulty of the PoW.
1397 In order to reduce the variance in time it takes to calculate the
1398 PoW, we require that a number Z different PoWs must be
1399 found that on average have D leading zeroes.
1400 </t>
1401 <t>
1402 The resulting proofs may then published and disseminated. The concrete
1403 dissemination and publication methods are out of scope of this
1404 document. Given an average difficulty of D, the proofs have an
1405 expiration time of EPOCH. With each additional bit difficulty, the
1406 lifetime of the proof is prolonged for another EPOCH.
1407 Consequently, by calculating a more difficult PoW, the lifetime of the
1408 proof can be increased on demand by the zone owner.
1409 </t>
1410 <t>
1411 The parameters are defined as follows:
1412 </t>
1413 <dl>
1414 <dt>Z</dt>
1415 <dd>The number of PoWs required is fixed at 32.</dd>
1416 <dt>D</dt>
1417 <dd>The difficulty is fixed at 22.</dd>
1418 <dt>EPOCH</dt>
1419 <dd>A single epoch is fixed at 365 days.</dd>
1420 </dl>
1421 <t>
1422 The revocation message wire format is illustrated in
1423 <xref target="figure_revocationdata"/>.
1424 </t>
1425 <figure anchor="figure_revocationdata">
1426 <artwork name="" type="" align="left" alt=""><![CDATA[
14270 8 16 24 32 40 48 56
1428+-----+-----+-----+-----+-----+-----+-----+-----+
1429| TIMESTAMP |
1430+-----+-----+-----+-----+-----+-----+-----+-----+
1431| TTL |
1432+-----+-----+-----+-----+-----+-----+-----+-----+
1433| POW_0 |
1434+-----+-----+-----+-----+-----+-----+-----+-----+
1435| ... |
1436+-----+-----+-----+-----+-----+-----+-----+-----+
1437| POW_Z-1 |
1438+-----------------------------------------------+
1439| ZONE TYPE | PUBLIC ZONE KEY |
1440+-----+-----+-----+-----+ |
1441/ /
1442/ /
1443+-----+-----+-----+-----+-----+-----+-----+-----+
1444| SIGNATURE |
1445/ /
1446/ /
1447| |
1448+-----+-----+-----+-----+-----+-----+-----+-----+
1449 ]]></artwork>
1450 </figure>
1451 <t>The Revocation Message Wire Format.</t>
1452 <dl>
1453 <dt>TIMESTAMP</dt>
1454 <dd>
1455 denotes the absolute 64-bit date when the revocation was computed.
1456 In microseconds since midnight (0 hour), January 1, 1970 in network
1457 byte order. This is the same value as the timestamp used in the
1458 individual PoW calculations.
1459 </dd>
1460 <dt>TTL</dt>
1461 <dd>
1462 denotes the relative 64-bit time to live of of the record in
1463 microseconds also in network byte order. This field is informational
1464 for a verifier. The verifier may discard revocation if the TTL
1465 indicates that it is already expired. However, the actual TTL of the
1466 revocation must be determined by examining the leading zeros in the
1467 proof of work calculation.
1468 </dd>
1469 <dt>POW_i</dt>
1470 <dd>
1471 The values calculated as part of the PoW, in network byte order.
1472 Each POW_i MUST be unique in the set of POW values.
1473 To facilitate fast verification
1474 of uniqueness, the POW values must be given in strictly
1475 monotonically increasing order in the message.
1476 </dd>
1477 <dt>ZONE TYPE</dt>
1478 <dd>
1479 The 32-bit zone type corresponding to the zone public key.
1480 </dd>
1481 <dt>ZONE PUBLIC KEY</dt>
1482 <dd>
1483 is the public key zk of the zone which is being revoked and
1484 the key to be used to verify SIGNATURE.
1485 </dd>
1486 <dt>SIGNATURE</dt>
1487 <dd>
1488 A signature over a timestamp and the public zone zk of the zone
1489 which is revoked and corresponds to the key used in the PoW.
1490 The signature is created using the Sign() function of
1491 the cryptosystem of the zone and the private zone key
1492 (see <xref target="zone_types" />).
1493 </dd>
1494 </dl>
1495 <t>
1496 The signature over the public key covers a 32-bit pseudo header
1497 conceptually prefixed to the public key. The pseudo header includes
1498 the key length and signature purpose. The wire format is illustrated
1499 in <xref target="figure_revsigwithpseudo"/>.
1500 </t>
1501 <figure anchor="figure_revsigwithpseudo">
1502 <artwork name="" type="" align="left" alt=""><![CDATA[
15030 8 16 24 32 40 48 56
1504+-----+-----+-----+-----+-----+-----+-----+-----+
1505| SIZE (0x30) | PURPOSE (0x03) |
1506+-----+-----+-----+-----+-----+-----+-----+-----+
1507| TIMESTAMP |
1508+-----+-----+-----+-----+-----+-----+-----+-----+
1509| ZONE TYPE | ZONE PUBLIC KEY |
1510+-----+-----+-----+-----+ |
1511/ /
1512/ /
1513+-----+-----+-----+-----+-----+-----+-----+-----+
1514 ]]></artwork>
1515 </figure>
1516 <t>The Wire Format of the Revocation Data for Signing.</t>
1517 <dl>
1518 <dt>SIZE</dt>
1519 <dd>
1520 A 32-bit value containing the length of the signed data in bytes
1521 in network byte order.
1522 </dd>
1523 <dt>PURPOSE</dt>
1524 <dd>
1525 A 32-bit signature purpose flag. This field MUST be 3 (in network
1526 byte order).
1527 </dd>
1528 <dt>ZONE TYPE</dt>
1529 <dd>
1530 The 32-bit zone type corresponding to the zone public key.
1531 </dd>
1532 <dt>ZONE PUBLIC KEY / TIMESTAMP</dt>
1533 <dd>Both values as defined in the revocation data object above.</dd>
1534 </dl>
1535 <t>
1536 In order to verify a revocation the following steps must be taken,
1537 in order:
1538 </t>
1539 <ol>
1540 <li>The current time MUST be between TIMESTAMP and
1541 TIMESTAMP+TTL.</li>
1542 <li>The signature MUST match the public key.</li>
1543 <li>The set of POW values MUST NOT contain duplicates.</li>
1544 <li>The average number of leading zeroes resulting from the provided
1545 POW values D' MUST be greater than D.</li>
1546 <li>The validation period (TTL) of the revocation is calculated as
1547 (D'-D) * EPOCH * 1.1. The EPOCH is extended by
1548 10% in order to deal with unsynchronized clocks.
1549 The TTL added on top of the TIMESTAMP yields the
1550 expiration date.</li>
1551 </ol>
1552 </section>
1553
1312 <section anchor="resolution" numbered="true" toc="default"> 1554 <section anchor="resolution" numbered="true" toc="default">
1313 <name>Name Resolution</name> 1555 <name>Name Resolution</name>
1314 <t> 1556 <t>
@@ -1666,247 +1908,6 @@ NICK: john (Supplemental)
1666 </section> 1908 </section>
1667 </section> 1909 </section>
1668 </section> 1910 </section>
1669 <section anchor="revocation" numbered="true" toc="default">
1670 <name>Zone Revocation</name>
1671 <t>
1672 Whenever a recursive resolver encounters a new GNS zone, it MUST
1673 check against the local revocation list whether the respective
1674 zone key has been revoked. If the zone key was revoked, the
1675 resolution MUST fail with an empty result set.
1676 </t>
1677 <t>
1678 In order to revoke a zone key, a signed revocation object MUST be
1679 published.
1680 This object MUST be signed using the private zone key.
1681 The revocation object is flooded in the overlay network. To prevent
1682 flooding attacks, the revocation message MUST contain a proof of work
1683 (PoW).
1684 The revocation message including the PoW MAY be calculated
1685 ahead of time to support timely revocation.
1686 </t>
1687 <t>
1688 For all occurences below, "Argon2id" is the Password-based Key
1689 Derivation Function as defined in <xref target="RFC9106" />. For the
1690 PoW calculations the algorithm is instantiated with the
1691 following parameters:
1692 </t>
1693 <dl>
1694 <dt>S</dt>
1695 <dd>The salt. Fixed 16-byte string: "GnsRevocationPow".</dd>
1696 <dt>t</dt>
1697 <dd>Number of iterations: 3</dd>
1698 <dt>m</dt>
1699 <dd>Memory size in KiB: 1024</dd>
1700 <dt>T</dt>
1701 <dd>Output length of hash in bytes: 64</dd>
1702 <dt>p</dt>
1703 <dd>Parallelization parameter: 1</dd>
1704 <dt>v</dt>
1705 <dd>Algorithm version: 0x13</dd>
1706 <dt>y</dt>
1707 <dd>Algorithm type (Argon2id): 2</dd>
1708 <dt>X</dt><dd>Unused</dd>
1709 <dt>K</dt><dd>Unused</dd>
1710 </dl>
1711 <t>
1712 <xref target="figure_revocation"/> illustrates the wire format
1713 of the message string "P" on which the PoW is calculated.
1714 </t>
1715 <figure anchor="figure_revocation">
1716 <artwork name="" type="" align="left" alt=""><![CDATA[
17170 8 16 24 32 40 48 56
1718+-----+-----+-----+-----+-----+-----+-----+-----+
1719| POW |
1720+-----------------------------------------------+
1721| TIMESTAMP |
1722+-----------------------------------------------+
1723| ZONE TYPE | PUBLIC ZONE KEY |
1724+-----+-----+-----+-----+ |
1725/ /
1726/ /
1727+-----+-----+-----+-----+-----+-----+-----+-----+
1728 ]]></artwork>
1729 </figure>
1730 <t>The Wire Format of the PoW Message String.</t>
1731 <dl>
1732 <dt>POW</dt>
1733 <dd>
1734 A 64-bit solution to the PoW. In network byte order.
1735 </dd>
1736 <dt>TIMESTAMP</dt>
1737 <dd>
1738 denotes the absolute 64-bit date when the revocation was computed.
1739 In microseconds since midnight (0 hour), January 1, 1970 in network
1740 byte order.
1741 </dd>
1742 <dt>PUBLIC KEY</dt>
1743 <dd>
1744 is the 256-bit public key zk of the zone which is being revoked and
1745 the key to be used to verify SIGNATURE. The
1746 wire format of this value is defined in <xref target="RFC8032" />,
1747 Section 5.1.5.
1748 </dd>
1749 </dl>
1750 <t>
1751 Traditionally, PoW schemes require to find a POW such that
1752 at least D leading zeroes are found in the hash result.
1753 D is then referred to as the difficulty of the PoW.
1754 In order to reduce the variance in time it takes to calculate the
1755 PoW, we require that a number Z different PoWs must be
1756 found that on average have D leading zeroes.
1757 </t>
1758 <t>
1759 The resulting proofs may then published and disseminated. The concrete
1760 dissemination and publication methods are out of scope of this
1761 document. Given an average difficulty of D, the proofs have an
1762 expiration time of EPOCH. With each additional bit difficulty, the
1763 lifetime of the proof is prolonged for another EPOCH.
1764 Consequently, by calculating a more difficult PoW, the lifetime of the
1765 proof can be increased on demand by the zone owner.
1766 </t>
1767 <t>
1768 The parameters are defined as follows:
1769 </t>
1770 <dl>
1771 <dt>Z</dt>
1772 <dd>The number of PoWs required is fixed at 32.</dd>
1773 <dt>D</dt>
1774 <dd>The difficulty is fixed at 22.</dd>
1775 <dt>EPOCH</dt>
1776 <dd>A single epoch is fixed at 365 days.</dd>
1777 </dl>
1778 <t>
1779 The revocation message wire format is illustrated in
1780 <xref target="figure_revocationdata"/>.
1781 </t>
1782 <figure anchor="figure_revocationdata">
1783 <artwork name="" type="" align="left" alt=""><![CDATA[
17840 8 16 24 32 40 48 56
1785+-----+-----+-----+-----+-----+-----+-----+-----+
1786| TIMESTAMP |
1787+-----+-----+-----+-----+-----+-----+-----+-----+
1788| TTL |
1789+-----+-----+-----+-----+-----+-----+-----+-----+
1790| POW_0 |
1791+-----+-----+-----+-----+-----+-----+-----+-----+
1792| ... |
1793+-----+-----+-----+-----+-----+-----+-----+-----+
1794| POW_Z-1 |
1795+-----------------------------------------------+
1796| ZONE TYPE | PUBLIC ZONE KEY |
1797+-----+-----+-----+-----+ |
1798/ /
1799/ /
1800+-----+-----+-----+-----+-----+-----+-----+-----+
1801| SIGNATURE |
1802/ /
1803/ /
1804| |
1805+-----+-----+-----+-----+-----+-----+-----+-----+
1806 ]]></artwork>
1807 </figure>
1808 <t>The Revocation Message Wire Format.</t>
1809 <dl>
1810 <dt>TIMESTAMP</dt>
1811 <dd>
1812 denotes the absolute 64-bit date when the revocation was computed.
1813 In microseconds since midnight (0 hour), January 1, 1970 in network
1814 byte order. This is the same value as the timestamp used in the
1815 individual PoW calculations.
1816 </dd>
1817 <dt>TTL</dt>
1818 <dd>
1819 denotes the relative 64-bit time to live of of the record in
1820 microseconds also in network byte order. This field is informational
1821 for a verifier. The verifier may discard revocation if the TTL
1822 indicates that it is already expired. However, the actual TTL of the
1823 revocation must be determined by examining the leading zeros in the
1824 proof of work calculation.
1825 </dd>
1826 <dt>POW_i</dt>
1827 <dd>
1828 The values calculated as part of the PoW, in network byte order.
1829 Each POW_i MUST be unique in the set of POW values.
1830 To facilitate fast verification
1831 of uniqueness, the POW values must be given in strictly
1832 monotonically increasing order in the message.
1833 </dd>
1834 <dt>ZONE TYPE</dt>
1835 <dd>
1836 The 32-bit zone type corresponding to the zone public key.
1837 </dd>
1838 <dt>ZONE PUBLIC KEY</dt>
1839 <dd>
1840 is the public key zk of the zone which is being revoked and
1841 the key to be used to verify SIGNATURE.
1842 </dd>
1843 <dt>SIGNATURE</dt>
1844 <dd>
1845 A signature over a timestamp and the public zone zk of the zone
1846 which is revoked and corresponds to the key used in the PoW.
1847 The signature is created using the Sign() function of
1848 the cryptosystem of the zone and the private zone key
1849 (see <xref target="zone_types" />).
1850 </dd>
1851 </dl>
1852 <t>
1853 The signature over the public key covers a 32-bit pseudo header
1854 conceptually prefixed to the public key. The pseudo header includes
1855 the key length and signature purpose. The wire format is illustrated
1856 in <xref target="figure_revsigwithpseudo"/>.
1857 </t>
1858 <figure anchor="figure_revsigwithpseudo">
1859 <artwork name="" type="" align="left" alt=""><![CDATA[
18600 8 16 24 32 40 48 56
1861+-----+-----+-----+-----+-----+-----+-----+-----+
1862| SIZE (0x30) | PURPOSE (0x03) |
1863+-----+-----+-----+-----+-----+-----+-----+-----+
1864| TIMESTAMP |
1865+-----+-----+-----+-----+-----+-----+-----+-----+
1866| ZONE TYPE | ZONE PUBLIC KEY |
1867+-----+-----+-----+-----+ |
1868/ /
1869/ /
1870+-----+-----+-----+-----+-----+-----+-----+-----+
1871 ]]></artwork>
1872 </figure>
1873 <t>The Wire Format of the Revocation Data for Signing.</t>
1874 <dl>
1875 <dt>SIZE</dt>
1876 <dd>
1877 A 32-bit value containing the length of the signed data in bytes
1878 in network byte order.
1879 </dd>
1880 <dt>PURPOSE</dt>
1881 <dd>
1882 A 32-bit signature purpose flag. This field MUST be 3 (in network
1883 byte order).
1884 </dd>
1885 <dt>ZONE TYPE</dt>
1886 <dd>
1887 The 32-bit zone type corresponding to the zone public key.
1888 </dd>
1889 <dt>ZONE PUBLIC KEY / TIMESTAMP</dt>
1890 <dd>Both values as defined in the revocation data object above.</dd>
1891 </dl>
1892 <t>
1893 In order to verify a revocation the following steps must be taken,
1894 in order:
1895 </t>
1896 <ol>
1897 <li>The current time MUST be between TIMESTAMP and
1898 TIMESTAMP+TTL.</li>
1899 <li>The signature MUST match the public key.</li>
1900 <li>The set of POW values MUST NOT contain duplicates.</li>
1901 <li>The average number of leading zeroes resulting from the provided
1902 POW values D' MUST be greater than D.</li>
1903 <li>The validation period (TTL) of the revocation is calculated as
1904 (D'-D) * EPOCH * 1.1. The EPOCH is extended by
1905 10% in order to deal with unsynchronized clocks.
1906 The TTL added on top of the TIMESTAMP yields the
1907 expiration date.</li>
1908 </ol>
1909 </section>
1910 <section anchor="encoding" numbered="true" toc="default"> 1911 <section anchor="encoding" numbered="true" toc="default">
1911 <name>Internationalization and Character Encoding</name> 1912 <name>Internationalization and Character Encoding</name>
1912 <t> 1913 <t>
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-14 19:32:02 +0000