diff options
Diffstat (limited to 'draft-schanzen-gns.xml')
-rw-r--r-- | draft-schanzen-gns.xml | 158 |
1 files changed, 89 insertions, 69 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index 1ccb978..bf76096 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml | |||
@@ -183,7 +183,7 @@ | |||
183 | A GNS label is a label as defined in <xref target="RFC8499"/>. | 183 | A GNS label is a label as defined in <xref target="RFC8499"/>. |
184 | Within this document, labels are always assumed to be strings of | 184 | Within this document, labels are always assumed to be strings of |
185 | UTF-8 characters <xref target="RFC8499"/> with a maximum length of | 185 | UTF-8 characters <xref target="RFC8499"/> with a maximum length of |
186 | 63 bytes. When hashed, labels MUST be canonicalized using | 186 | 63 bytes. When hashed, labels MUST be canonicalized using |
187 | Normalization Form C (NFC) <xref target="Unicode-UAX15"/>. | 187 | Normalization Form C (NFC) <xref target="Unicode-UAX15"/>. |
188 | </dd> | 188 | </dd> |
189 | <dt>Name</dt> | 189 | <dt>Name</dt> |
@@ -195,26 +195,27 @@ | |||
195 | </dd> | 195 | </dd> |
196 | <dt>Top-Level Domain</dt> | 196 | <dt>Top-Level Domain</dt> |
197 | <dd> | 197 | <dd> |
198 | A GNS Top-Level Domain is a GNS label and a Top-Level | 198 | The rightmost label in a GNS name is a GNS Top-Level Domain (TLD). |
199 | Domain (TLD) as defined in <xref target="RFC8499"/>. | 199 | Unlike DNS Top-Level Domains (defined in <xref target="RFC8499"/>), |
200 | With the exception of Zone Top-Level Domains (see below), | 200 | GNS does not expect all users to use the same global root zone. Instead, |
201 | GNS TLDs are part of the configuration of the local resolver | 201 | with the exception of Zone Top-Level Domains (see below), |
202 | (see <xref target="governance"/>) and may not be globally unique. | 202 | GNS TLDs are typically part of the configuration of the local resolver |
203 | (see <xref target="governance"/>), and may thus not be globally unique. | ||
203 | </dd> | 204 | </dd> |
204 | <dt>Zone</dt> | 205 | <dt>Zone</dt> |
205 | <dd> | 206 | <dd> |
206 | A GNS zone contains authoritative information (resource records). | 207 | A GNS zone contains authoritative information (resource records). |
207 | A zone is uniquely identified by its zone key. | 208 | A zone is uniquely identified by its zone key. Unlike DNS zones, |
209 | a GNS zone does not need to have a SOA record at its apex. | ||
208 | </dd> | 210 | </dd> |
209 | <dt>Zone Type</dt> | 211 | <dt>Zone Type</dt> |
210 | <dd> | 212 | <dd> |
211 | The type of a GNS zone determines the format and type of the | 213 | The type of a GNS zone determines the cipher system and binary encoding |
212 | zone key. | 214 | format of the zone key, blinded zone keys, and signatures. |
213 | </dd> | 215 | </dd> |
214 | <dt>Zone Key</dt> | 216 | <dt>Zone Key</dt> |
215 | <dd> | 217 | <dd> |
216 | The zone key uniquely identifies a zone. | 218 | The zone key uniquely identifies a zone. |
217 | Its format and type depend on the associated zone type. | ||
218 | The zone key is usually a public key of an asymmetric key pair. | 219 | The zone key is usually a public key of an asymmetric key pair. |
219 | </dd> | 220 | </dd> |
220 | <dt>Blinded Zone Key</dt> | 221 | <dt>Blinded Zone Key</dt> |
@@ -224,16 +225,18 @@ | |||
224 | </dd> | 225 | </dd> |
225 | <dt>Zone Owner</dt> | 226 | <dt>Zone Owner</dt> |
226 | <dd> | 227 | <dd> |
227 | The owner of a GNS zone is the holder of the private key corresponding to | 228 | The owner of a GNS zone is the holder of the secret (typically a private key) |
228 | the respective zone key. | 229 | that (together with a label and a value to sign) allows the creation of zone |
230 | signatures that can be validated against the respective blinded zone key. | ||
229 | </dd> | 231 | </dd> |
230 | <dt>Zone Top-Level Domain</dt> | 232 | <dt>Zone Top-Level Domain</dt> |
231 | <dd> | 233 | <dd> |
232 | A GNS Zone Top-Level Domain (zTLD) is a GNS name and a Top-Level | 234 | A GNS Zone Top-Level Domain (zTLD) is a GNS label used as the |
233 | Domain (TLD) as defined in <xref target="RFC8499"/>. | 235 | rightmost label in a GNS name which encodes a zone type and |
234 | It represents a sub-group of all TLDs and encodes the zone type and | ||
235 | zone key of a zone. | 236 | zone key of a zone. |
236 | Due to the statistical uniqueness of zone keys, zTLDs are also globally unique. | 237 | Due to the statistical uniqueness of zone keys, zTLDs are also globally unique. |
238 | A zTLD label can only be distinguished from ordinary TLD labels | ||
239 | by attempting to decode the label to a zone type and zone key. | ||
237 | </dd> | 240 | </dd> |
238 | <dt>Resource Record</dt> | 241 | <dt>Resource Record</dt> |
239 | <dd> | 242 | <dd> |
@@ -252,13 +255,17 @@ | |||
252 | Zones are uniquely identified by a zone key. | 255 | Zones are uniquely identified by a zone key. |
253 | Zone contents are signed using blinded private keys and | 256 | Zone contents are signed using blinded private keys and |
254 | encrypted using derived secret keys. | 257 | encrypted using derived secret keys. |
255 | The zone type determines the respectice set of cryptographic functions. | 258 | The zone type determines the respective set of cryptographic operations |
259 | and the wire formats for encrypted data, public keys and signatures. | ||
256 | </t> | 260 | </t> |
257 | <t> | 261 | <t> |
258 | A zone can be populated with mappings from labels to resource records by | 262 | A zone can be populated with mappings from labels to resource records by |
259 | its owner (<xref target="rrecords"/>). | 263 | its owner (<xref target="rrecords"/>). |
260 | Labels can be delegated to other zones using delegation records and in | 264 | A label can be mapped to a delegation record which results in the |
261 | order to support (legacy) applications as well as facilitate the use | 265 | corresponding subdomain being delegated to another zone. Circular |
266 | delegations are explicitly allowed, including delegating a subdomain | ||
267 | to its immediate parent zone. In | ||
268 | order to support (legacy) applications as well as to facilitate the use | ||
262 | of petnames, GNS defines auxiliary record types in addition to | 269 | of petnames, GNS defines auxiliary record types in addition to |
263 | supporting traditional DNS records. | 270 | supporting traditional DNS records. |
264 | </t> | 271 | </t> |
@@ -268,31 +275,35 @@ | |||
268 | (<xref target="publish"/>). | 275 | (<xref target="publish"/>). |
269 | In this process, unique zone identification is hidden from the network | 276 | In this process, unique zone identification is hidden from the network |
270 | through the use of key blinding. | 277 | through the use of key blinding. |
271 | It allows the creation of signatures for zone contents | 278 | Key blinding allows the creation of signatures for zone contents |
272 | using a blinded public/private key pair. | 279 | using a blinded public/private key pair. |
273 | This blinding is realized using a deterministic key | 280 | This blinding is realized using a deterministic key |
274 | derivation from | 281 | derivation from |
275 | the original zone key and corresponding private key using record label values. | 282 | the original zone key and corresponding private key using record label values |
276 | Specifically, the zone owner can derive private keys for each record | 283 | as blinding factors. |
284 | Specifically, the zone owner can derive blinded private keys for each record | ||
277 | set published under a label, and a | 285 | set published under a label, and a |
278 | resolver can derive the corresponding public keys. | 286 | resolver can derive the corresponding blinded public keys. |
279 | It is expected that GNS implementations use distributed or decentralized | 287 | It is expected that GNS implementations use distributed or decentralized |
280 | storages such as distributed hash tables (DHT) in order to facilitate | 288 | storages such as distributed hash tables (DHT) in order to facilitate |
281 | availability within a network without the need of servers. | 289 | availability within a network without the need for dedicated infrastructure. |
282 | Specification of such a distributed or decentralized storage is out of | 290 | Specification of such a distributed or decentralized storage is out of |
283 | scope of this document but possible existing implementations include those | 291 | scope of this document, but possible existing implementations include those |
284 | based on <xref target="RFC7363" />, <xref target="Kademlia" /> or | 292 | based on <xref target="RFC7363" />, <xref target="Kademlia" /> or |
285 | <xref target="R5N" />. | 293 | <xref target="R5N" />. |
286 | </t> | 294 | </t> |
287 | <t> | 295 | <t> |
288 | Names in GNS are domain names as defined in <xref target="RFC8499"/>. | 296 | Names in GNS are domain names as defined in <xref target="RFC8499"/>. |
289 | Starting from a configurable root zone, names are resolved following zone | 297 | Starting from a configurable root zone, names are resolved by following zone |
290 | delegations which are recursively queried from the storage (<xref target="resolution"/>). | 298 | delegations. For each label in a name, the recursive GNS resolver |
299 | fetches the respective record from the storage layer (<xref target="resolution"/>). | ||
291 | Without knowledge of the label values and the zone keys, the | 300 | Without knowledge of the label values and the zone keys, the |
292 | different derived keys are unlinkable both to the original key and to each | 301 | different derived keys are unlinkable both to the original zone key and to each |
293 | other. | 302 | other. |
294 | This prevents zone enumeration and requires knowledge | 303 | This prevents zone enumeration (except via impractical online brute |
295 | of both the zone key and the label to confirm affiliation with a | 304 | force attacks) and requires knowledge |
305 | of both the zone key and the label to confirm affiliation of a | ||
306 | query or the corresponding encrypted record set with a | ||
296 | specific zone. At the same time, the blinded zone key provides | 307 | specific zone. At the same time, the blinded zone key provides |
297 | resolvers | 308 | resolvers |
298 | with the ability to verify the integrity of the published information | 309 | with the ability to verify the integrity of the published information |
@@ -313,44 +324,44 @@ | |||
313 | It can be represented by a Zone Top-Level Domain (zTLD) string. | 324 | It can be represented by a Zone Top-Level Domain (zTLD) string. |
314 | </t> | 325 | </t> |
315 | <t> | 326 | <t> |
316 | The zone type ztype is the unique zone type of the zone as registered | 327 | Each zone type (ztype) is assigned a unique 32-bit number when it is registered |
317 | in the GNUnet Assigned Numbers Authority <xref target="GANA" />. | 328 | in the GNUnet Assigned Numbers Authority <xref target="GANA" />. |
318 | The zone type determines which cryptosystem is used for the | 329 | The ztype determines which cryptosystem is used for the |
319 | asymmetric and symmetric key operations of the zone. | 330 | asymmetric and symmetric key operations of the zone. |
320 | The zone type is identified by a 32-bit number. | 331 | The ztype number always corresponds to a resource record type |
321 | It always corresponds to a resource record type number identifying a | 332 | number identifying a delegation into a zone of this type. To |
322 | delegation into a zone of this type. | 333 | ensure that there are no conflicts with DNS record types, ztypes |
334 | are always assigned numeric values above 65535. | ||
323 | </t> | 335 | </t> |
324 | <t> | 336 | <t> |
325 | For any zone, d is the private key. zk is the zone key. | 337 | For any zone, let d be the private key and zk the public zone key. |
326 | The specific formats depends on the zone type. | 338 | The specific wire format used depends on the ztype. |
327 | The creation of zone keys for the default zone types are specified in | 339 | The creation of zone keys for the default ztypes are specified in |
328 | <xref target="gnsrecords_delegation"/>. | 340 | <xref target="gnsrecords_delegation"/>. |
329 | New zone types may be specified in the future, for example if the | 341 | New ztypes may be specified in the future, for example if the |
330 | cryptographic mechanisms used in this document are broken. | 342 | cryptographic mechanisms used in this document are broken. |
331 | Any zone type MUST define the following set of cryptographic functions: | 343 | Any ztype MUST define the following set of cryptographic functions: |
332 | </t> | 344 | </t> |
333 | <dl> | 345 | <dl> |
334 | <dt>Private-KeyGen() -> d</dt> | 346 | <dt>KeyGen() -> d, zk</dt> |
335 | <dd> | 347 | <dd> |
336 | is a function to generate a fresh private key d. | 348 | is a function to generate a fresh private key d and |
337 | </dd> | 349 | the corresponding public zone key zk. |
338 | <dt>Public-KeyGen(d) -> zk</dt> | ||
339 | <dd> | ||
340 | is a function to derive a zone key zk from a private key d. | ||
341 | </dd> | 350 | </dd> |
342 | <dt>ZKDF-Private(d,label) -> d'</dt> | 351 | <dt>ZKDF-Private(d,label) -> d'</dt> |
343 | <dd> | 352 | <dd> |
344 | is a zone key derivation function which blinds a private key d | 353 | is a zone key derivation function which blinds a private key d |
345 | using label, resulting in another private key which | 354 | using label, resulting in another private key which |
346 | can be used to create cryptographic signatures. | 355 | can be used to create cryptographic signatures. We note that |
356 | GNS only requires a signature to be created directly with | ||
357 | d to sign a revocation message for the zone key zk. | ||
347 | </dd> | 358 | </dd> |
348 | <dt>ZKDF-Public(zk,label) -> zk'</dt> | 359 | <dt>ZKDF-Public(zk,label) -> zk'</dt> |
349 | <dd> | 360 | <dd> |
350 | is a zone key derivation function which blinds a zone key zk | 361 | is a zone key derivation function which blinds a zone key zk |
351 | using a label. zk and zk' must be unlinkable. Furthermore, | 362 | using a label. zk and zk' must be unlinkable. Furthermore, |
352 | blinding zk with different values for the label must result | 363 | blinding zk with different values for the label must result |
353 | in unlinkable different resulting values for zk'. | 364 | in unlinkable zk' values. |
354 | </dd> | 365 | </dd> |
355 | <dt>S-Encrypt(zk,label,nonce,expiration,message) -> ciphertext</dt> | 366 | <dt>S-Encrypt(zk,label,nonce,expiration,message) -> ciphertext</dt> |
356 | <dd> | 367 | <dd> |
@@ -367,17 +378,18 @@ | |||
367 | data based on key material derived from the zone key, | 378 | data based on key material derived from the zone key, |
368 | a label, a nonce and an expiration. | 379 | a label, a nonce and an expiration. |
369 | </dd> | 380 | </dd> |
370 | <dt>Sign(d',message) -> signature</dt> | 381 | <dt>Sign(d,message) -> signature, Sign(d',message) -> signature</dt> |
371 | <dd> | 382 | <dd> |
372 | is a function to sign encrypted record data using the (blinded) private | 383 | is a function to sign a message (typically encrypted record data) using the (blinded) private |
373 | key d', yielding an unforgable cryptographic signature. | 384 | key d (d'), yielding an unforgable cryptographic signature. |
374 | </dd> | 385 | </dd> |
375 | <dt>Verify(zk',message,signature) -> valid</dt> | 386 | <dt>Verify(zk,message,signature) -> boolean, Verify(zk',message,signature) -> boolean</dt> |
376 | <dd> | 387 | <dd> |
377 | is a function to verify the signature was created by | 388 | is a function to verify the signature was created by |
378 | the private key d' derived from d and a label if | 389 | the private key d (or derived key d') corresponding to |
379 | zk' was derived from the corresponding zone key | 390 | the zone key zk (or derived zone key zk') |
380 | zk := Public-Keygen(d) and same label. | 391 | where d,zk := Keygen(). If deriviations were used, they |
392 | must have used the same label. | ||
381 | The function returns a boolean value of "TRUE" if the signature is valid, | 393 | The function returns a boolean value of "TRUE" if the signature is valid, |
382 | and otherwise "FALSE". | 394 | and otherwise "FALSE". |
383 | </dd> | 395 | </dd> |
@@ -902,15 +914,11 @@ zTLD := zkl[126..129].zkl[63..125].zkl[0..62] | |||
902 | <dl> | 914 | <dl> |
903 | <dt>d</dt> | 915 | <dt>d</dt> |
904 | <dd> | 916 | <dd> |
905 | is a 256-bit ECDSA private key. The generation of the private | 917 | is a 256-bit ECDSA private key. |
906 | scalar as defined in Section 2.2. of <xref target="RFC6979" /> represents the Private-KeyGen() function. | ||
907 | </dd> | 918 | </dd> |
908 | <dt>zk</dt> | 919 | <dt>zk</dt> |
909 | <dd> | 920 | <dd> |
910 | is the ECDSA zone key corresponding to d. Its generation is | 921 | is the ECDSA public zone key corresponding to d. |
911 | defined in Section 2.2. of <xref target="RFC6979" /> as the curve point d*G where G | ||
912 | is the group generator of the elliptic curve. | ||
913 | This generation represents the Public-KeyGen(d) function. | ||
914 | </dd> | 922 | </dd> |
915 | <dt>p</dt> | 923 | <dt>p</dt> |
916 | <dd> | 924 | <dd> |
@@ -926,6 +934,12 @@ zTLD := zkl[126..129].zkl[63..125].zkl[0..62] | |||
926 | <dd> | 934 | <dd> |
927 | is the order of the prime-order subgroup of edwards25519 in <xref target="RFC7748" />. | 935 | is the order of the prime-order subgroup of edwards25519 in <xref target="RFC7748" />. |
928 | </dd> | 936 | </dd> |
937 | <dt>KeyGen()</dt> | ||
938 | <dd>The generation of the private | ||
939 | scalar d and the curve point zk := d*G (where G is the group generator | ||
940 | of the elliptic curve) as defined in Section 2.2. of | ||
941 | <xref target="RFC6979" /> represents the KeyGen() function. | ||
942 | </dd> | ||
929 | </dl> | 943 | </dl> |
930 | <t> | 944 | <t> |
931 | The zone type and zone key of a PKEY are 32 + 4 bytes in length. This means that | 945 | The zone type and zone key of a PKEY are 32 + 4 bytes in length. This means that |
@@ -1065,9 +1079,7 @@ NONCE := HKDF-Expand (PRK_n, label, 32 / 8) | |||
1065 | <dl> | 1079 | <dl> |
1066 | <dt>d</dt> | 1080 | <dt>d</dt> |
1067 | <dd> | 1081 | <dd> |
1068 | is a 256-bit EdDSA private key. The generation as defined | 1082 | is a 256-bit EdDSA private key. |
1069 | in Section 3.2. of <xref target="RFC8032" /> and represents the Private-KeyGen() | ||
1070 | function. | ||
1071 | </dd> | 1083 | </dd> |
1072 | <dt>a</dt> | 1084 | <dt>a</dt> |
1073 | <dd> | 1085 | <dd> |
@@ -1076,12 +1088,10 @@ NONCE := HKDF-Expand (PRK_n, label, 32 / 8) | |||
1076 | </dd> | 1088 | </dd> |
1077 | <dt>zk</dt> | 1089 | <dt>zk</dt> |
1078 | <dd> | 1090 | <dd> |
1079 | is the EdDSA public key corresponding to d. It is defined in | 1091 | is the EdDSA public key corresponding to d. It is defined |
1080 | Section 3.2 of <xref target="RFC8032" /> as the curve point a*G where G is the | 1092 | as the curve point a*G where G is the |
1081 | group generator of the elliptic curve and a is an integer | 1093 | group generator of the elliptic curve |
1082 | derived from d using the SHA-512 hash function. | 1094 | as defined in <xref target="ed25519" />. |
1083 | This generation including the derivation of a represents the | ||
1084 | Public-KeyGen(d) function. | ||
1085 | </dd> | 1095 | </dd> |
1086 | <dt>p</dt> | 1096 | <dt>p</dt> |
1087 | <dd> | 1097 | <dd> |
@@ -1097,6 +1107,16 @@ NONCE := HKDF-Expand (PRK_n, label, 32 / 8) | |||
1097 | <dd> | 1107 | <dd> |
1098 | is the order of the prime-order subgroup of edwards25519 in <xref target="RFC7748" />. | 1108 | is the order of the prime-order subgroup of edwards25519 in <xref target="RFC7748" />. |
1099 | </dd> | 1109 | </dd> |
1110 | <dt>KeyGen()</dt> | ||
1111 | <dd> | ||
1112 | The generation of the private key d and the associated public | ||
1113 | key zk := a*G where G is the | ||
1114 | group generator of the elliptic curve and a is an integer | ||
1115 | derived from d using the SHA-512 hash function | ||
1116 | as defined | ||
1117 | in Section 3.2. of <xref target="RFC8032" /> represents the KeyGen() | ||
1118 | function. | ||
1119 | </dd> | ||
1100 | </dl> | 1120 | </dl> |
1101 | <t> | 1121 | <t> |
1102 | The zone type and zone key of an EDKEY are 32 + 4 bytes in length. This means that | 1122 | The zone type and zone key of an EDKEY are 32 + 4 bytes in length. This means that |