diff options
author | Martin Schanzenbach <mschanzenbach@posteo.de> | 2020-09-06 10:51:46 +0200 |
---|---|---|
committer | Martin Schanzenbach <mschanzenbach@posteo.de> | 2020-09-06 10:51:46 +0200 |
commit | 495b02b508e08477eb8e2aaa06fdbd0ea92ecfee (patch) | |
tree | 105d18ce7eda6427c161d833980d718759cf1cb2 /draft-schanzen-gns.xml | |
parent | 91d8559eb5b5202fa7ba0e755511ac66c0710261 (diff) | |
download | lsd0001-495b02b508e08477eb8e2aaa06fdbd0ea92ecfee.tar.gz lsd0001-495b02b508e08477eb8e2aaa06fdbd0ea92ecfee.zip |
more
Diffstat (limited to 'draft-schanzen-gns.xml')
-rw-r--r-- | draft-schanzen-gns.xml | 50 |
1 files changed, 32 insertions, 18 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index 25530b6..65c7113 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml | |||
@@ -136,14 +136,21 @@ | |||
136 | A zone in GNS is defined by a public/private key pair (d,zk), | 136 | A zone in GNS is defined by a public/private key pair (d,zk), |
137 | where d is the private key and zk the corresponding public key. | 137 | where d is the private key and zk the corresponding public key. |
138 | The contents of a zone are cryptographically signed before | 138 | The contents of a zone are cryptographically signed before |
139 | publishing. Instead of the zone private key "d", the signature MUST | 139 | being published a Distributed Hash Table (DHT). |
140 | Records are grouped by their label and encrypted (<xref target="recordencryption"/>) | ||
141 | using an encryption key derived from the label and the zone public key. | ||
142 | Instead of the zone private key "d", the signature MUST | ||
140 | be created using a blinded public/private key pair d' and zk'. | 143 | be created using a blinded public/private key pair d' and zk'. |
141 | This blinding is realized using a Hierarchical Deterministic Key | 144 | This blinding is realized using a Hierarchical Deterministic Key |
142 | Derivation (HDKD) scheme. | 145 | Derivation (HDKD) scheme. |
143 | Such a scheme allows the zone owner to derivate a private d' and a | 146 | Such a scheme allows the zone owner to derive a private d' and a |
144 | resolver to derive the corresponding public key zk' in a deterministic | 147 | resolver to derive the corresponding public key zk' in a deterministic |
145 | manner from the original public and private zone keys as well as a | 148 | manner from the original public and private zone keys as well as a |
146 | label. | 149 | label. This feature prevents zone enumeration and requires knowledge |
150 | of both "zk" and the queried label to confirm affiliation with a | ||
151 | specific zone. At the same time, the blinded "zk'" provides nodes | ||
152 | with the ability to verifiy the integrity of the published information | ||
153 | without disclosing the originating zone. | ||
147 | </t> | 154 | </t> |
148 | <t> | 155 | <t> |
149 | The following primitives define a zone in GNS: | 156 | The following primitives define a zone in GNS: |
@@ -177,12 +184,14 @@ | |||
177 | is a HDKD function which blinds a public zone key "zk" of the | 184 | is a HDKD function which blinds a public zone key "zk" of the |
178 | respective type. | 185 | respective type. |
179 | </dd> | 186 | </dd> |
180 | <dt>TLD(zk) -> zkl</dt> | 187 | <dt>NameSuffix(ztype, zk) -> zkl</dt> |
181 | <dd> | 188 | <dd> |
182 | is a function which defines a mapping from zone public key to | 189 | is a function which defines a mapping from zone public key to |
183 | a string "zkl" of the respective type. | 190 | a string "zkl" of the respective type. |
184 | It is string which encodes the "ztype" as well as the zone | 191 | It is a string which encodes the "ztype" as well as the zone |
185 | key "zk" into one or more labels. | 192 | key "zk" into one or more labels. The "zkl" is used as a |
193 | globally unique reference to a specific namespace in the | ||
194 | process of name resolution. | ||
186 | </dd> | 195 | </dd> |
187 | </dl> | 196 | </dl> |
188 | <t> | 197 | <t> |
@@ -763,7 +772,7 @@ q := SHA512 (HDKD-Public(zk, label)) | |||
763 | | | | 772 | | | |
764 | +-----+-----+-----+-----+-----+-----+-----+-----+ | 773 | +-----+-----+-----+-----+-----+-----+-----+-----+ |
765 | | ZONE TYPE | PUBLIC ZONE KEY | | 774 | | ZONE TYPE | PUBLIC ZONE KEY | |
766 | +-----+-----+-----+-----+ | | 775 | +-----+-----+-----+-----+ (BLINDED) | |
767 | / / | 776 | / / |
768 | / / | 777 | / / |
769 | | | | 778 | | | |
@@ -784,12 +793,17 @@ q := SHA512 (HDKD-Public(zk, label)) | |||
784 | <dd> | 793 | <dd> |
785 | The signature is computed over the data following | 794 | The signature is computed over the data following |
786 | the PUBLIC KEY field. | 795 | the PUBLIC KEY field. |
787 | The signature is created using the derived private key "d'" (see | 796 | The signature is created using the derived private key |
788 | <xref target="zone_types" />). | 797 | "HDKD-Private(d, label)" (see <xref target="zone_types" />). |
789 | </dd> | 798 | </dd> |
790 | <dt>PUBLIC KEY</dt> | 799 | <dt>ZONE TYPE</dt> |
800 | <dd> | ||
801 | is the 32-bit zone type. | ||
802 | </dd> | ||
803 | <dt>ZONE PUBLIC KEY</dt> | ||
791 | <dd> | 804 | <dd> |
792 | is the public key "zk'" to be used to verify SIGNATURE. | 805 | is the blinded public zone key "HDKD-Public(zk, label)" |
806 | to be used to verify SIGNATURE. | ||
793 | </dd> | 807 | </dd> |
794 | <dt>SIZE</dt> | 808 | <dt>SIZE</dt> |
795 | <dd> | 809 | <dd> |
@@ -1512,15 +1526,15 @@ NICK: john (Supplemental) | |||
1512 | particular application requires a different process. | 1526 | particular application requires a different process. |
1513 | </t> | 1527 | </t> |
1514 | <t> | 1528 | <t> |
1515 | GNS clients SHOULD first try to interpret the top-level domain of | 1529 | GNS clients MUST first try to interpret the top-level domain of |
1516 | a GNS name as a zone key. | 1530 | a GNS name as a zone key representation "zkl := NameSuffix(ztype, zk)". |
1517 | For example. if the top-level domain is a label representation of | 1531 | If the top-level domain is indicated to be a label representation of |
1518 | a public zone key "zkl", the root zone of the resolution process | 1532 | a public zone key with a well-defined "ztype" value, the root zone of |
1519 | is implicitly given by the name: | 1533 | the resolution process is implicitly given by the suffic of the name: |
1520 | </t> | 1534 | </t> |
1521 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1535 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
1522 | Example name: www.example.<zkl> | 1536 | Example name: www.example.<NameSuffix(ztype, zk)> |
1523 | => Root zone: zk | 1537 | => Root zone: zk of type ztype |
1524 | => Name to resolve from root zone: www.example | 1538 | => Name to resolve from root zone: www.example |
1525 | ]]></artwork> | 1539 | ]]></artwork> |
1526 | <t> | 1540 | <t> |