Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate 2 "Domain CA" certs, use AIA to link them #3

Open
JeremyRand opened this issue Apr 5, 2020 · 0 comments
Open

Generate 2 "Domain CA" certs, use AIA to link them #3

JeremyRand opened this issue Apr 5, 2020 · 0 comments

Comments

@JeremyRand
Copy link
Member

JeremyRand commented Apr 5, 2020
edited
Loading

We can use AIA to link the root of a server's supplied cert chain to a cert locally supplied by Namecoin, without needing real-time write access to the intermediate CA store. The AIA URL would be a special URL with a reserved .bit domain name, which ncdns would resolve to a locally running HTTP server. AIA is supported by all mainstream browsers (on all platforms) except Firefox (which supports ncp11).

We should use 2 "Domain CA" certs for this purpose, as follows:

  1. A "Domain Blockchain CA" cert should be supplied by the AIA server (or by ncp11), and be signed by the TLD CA. Its public key matches the blockchain's TLSA record; it does not have an AIA extension; it should not be included in the TLS ServerHello cert chain.
  2. A "Domain ServerHello CA" cert should be supplied as part of the TLS ServerHello cert chain, and be signed by the Domain Blockchain CA. Its public key is not present in the blockchain. It has an AIA extension pointing to a reserved .bit domain name.

Why are we using 2 Domain CA's, instead of simply putting the AIA extension in the end-entity cert? Because some TLS infrastructure (e.g. Facebook) may not be designed to place specific AIA extensions into subject certs that it signs, whereas we expect TLS infrastructure to not care about the AIA extensions in issuer certs that it uses to sign certs. Thus, the generate_nmc_cert tool produces the Blockchain CA and the ServerHello CA, and the ServerHello CA is used as the issuer in whatever infrastructure is applicable.

Credit to yanmaani for inquiring whether it's necessary to mandate that the end-entity cert use AIA, which led me to the 2-CA approach.
JeremyRand added a commit to JeremyRand/generate_nmc_cert that referenced this issue Feb 16, 2021
@JeremyRand
Support AIA
20a061e 
Refs namecoin/safetlsa#3
@JeremyRand JeremyRand mentioned this issue Feb 16, 2021
Merged
JeremyRand added a commit to namecoin/generate_nmc_cert that referenced this issue Feb 17, 2021
@JeremyRand
Merge #1: Support AIA
4958978 
d2e57d3 Clarify that wildcard domain should be used for the TLSA record (Jeremy Rand)
fa3ccf5 Save DANE-TA JSON to file (Jeremy Rand)
a517d38 Disable some linters (Jeremy Rand)
20a061e Support AIA (Jeremy Rand)

Pull request description:

  Refs namecoin/safetlsa#3 .

  Fixes #5 .
  Fixes #6 .

Top commit has no ACKs.

Tree-SHA512: 80906c12fb902f59321bd566f4ead8e76e90ee7158687f8f3e576cf3dee02e9473b40a68ec10afd0226dd86b565a987d93c2a1e285abc3dbb5632ca72c7e69d1
JeremyRand added a commit to JeremyRand/safetlsa that referenced this issue Feb 17, 2021
@JeremyRand
Support AIA
b7fa7cf 
Refs namecoin#3
@JeremyRand JeremyRand mentioned this issue Feb 17, 2021
Merged
JeremyRand added a commit that referenced this issue Feb 17, 2021
@JeremyRand
Merge #6: Support AIA
57e499e 
24813e7 Set EKU on TLD CA (Jeremy Rand)
ad9434a Set EKU on Domain CA (Jeremy Rand)
b7fa7cf Support AIA (Jeremy Rand)

Pull request description:

  Refs #3
  Refs #5

Top commit has no ACKs.

Tree-SHA512: adf9da8e0c39e4e43cd98edfdd9a68af155f36b29e67b150f17f14c45426b0ea7322d353e4c4c32f5ace1df6531b1d4e3b4fd3b3dc3cafdeb11600c9aba7a173
JeremyRand added a commit to JeremyRand/ncdns that referenced this issue Feb 17, 2021
@JeremyRand
Add "aia" MetaDomain
d08b21e 
Currently hardcoded to point to "this" MetaDomain

Refs namecoin/safetlsa#3
@JeremyRand JeremyRand mentioned this issue Feb 17, 2021
Merged
JeremyRand added a commit to JeremyRand/encaya that referenced this issue Feb 17, 2021
@JeremyRand
Support AIA
d9114a8 
Refs namecoin/safetlsa#3
JeremyRand added a commit to JeremyRand/ncdns that referenced this issue Feb 17, 2021
@JeremyRand
Add "aia" MetaDomain
5336820 
Currently hardcoded to point to "this" MetaDomain

Refs namecoin/safetlsa#3
JeremyRand added a commit to namecoin/ncdns that referenced this issue Feb 17, 2021
@JeremyRand
Merge #134: Support AIA and compressed pubkeys
e4be195 
7287e92 Fix nlreturn warning (Jeremy Rand)
c0694b0 Fix name field of cached TLSA records (Jeremy Rand)
5336820 Add "aia" MetaDomain (Jeremy Rand)
88affcd TLS: Add compressed pubkey support (Jeremy Rand)

Pull request description:

  Refs namecoin/safetlsa#3

Top commit has no ACKs.

Tree-SHA512: 77984e8674814b8ac586d98f83725b9901a942218e7c4d34cfe6d390f6e0994c943978132a36d4f1812245ce8700275570235ccdec434f186607d8de72bffab5
@JeremyRand JeremyRand mentioned this issue Feb 17, 2021
Merged
JeremyRand added a commit to namecoin/encaya that referenced this issue Feb 17, 2021
@JeremyRand
Merge #3: Support AIA
045ec36 
cda37bf Switch to wildcard TLSA domain (Jeremy Rand)
e0be318 Add listen-ip config flag (Jeremy Rand)
23e8277 Disable HTTPS by default (Jeremy Rand)
d9114a8 Support AIA (Jeremy Rand)

Pull request description:

  Refs namecoin/safetlsa#3

Top commit has no ACKs.

Tree-SHA512: c402699e89b93dc760fe0656c18a6e6113eabcaf38a3557827cca905393b575461bd4bd7127be00b770dd6fc55256d3d1e0f5a406c9875a701dff1af3ad4cf5d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JeremyRand