Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BTLS: Blockchain-based Transport Layer Security #195

Closed
renne opened this issue Nov 14, 2014 · 2 comments
Closed

BTLS: Blockchain-based Transport Layer Security #195

renne opened this issue Nov 14, 2014 · 2 comments

Comments

@renne
Copy link

renne commented Nov 14, 2014

I want to suggest a simple-to-implement and easy-to-use blockchain-based authentication method:

Registration of ID/username/pseudonym

  1. User registers an ID/username/pseudonym in 'id/'-namespace
  2. User presses a button in Namecoin to automagically generate a self-signed X.509 client-certificate (PKCS12-format) which uses the ID as Distinguished Name and adds/updates the fingerprint of the client-certificate as application
  3. User imports self-signed X.509 client-certificate to his application (e.g. browser)

Authentication:

  1. User connects to service via (D)TLS
  2. Service requests self-signed X.509 client-certificate via (D)TLS
  3. Service validates self-signed X.509 client-certificate via ':<X.509-fingerprint>'-tupel in blockchain instead of CA-root/-intermediate certificates

That way there is no need to have a blockchain-client (Namecoin) running on client machines for authentication and we can use existing client-side infrastructure without any changes (e.g browsers, embedded systems). As Proof-of-Concept I suggest to patch STunnel for server-side client-certificate validation and to develop an Apache authentication provider module.

ToDo:

  1. Namecoin protocol: Add X.509-fingerprint for (D)TLS as registered application in 'id/'-namespace definition
  2. Namecoin-QT: Add button per ID in "Manage Names"-table to create and register self-signed X.509 client-certificate.
  3. Patch STunnel to authenticate self-signed client certificates against the blockchain instead of CA-hierarchy.
  4. Apache webserver: Develop authentication provider module 'mod_authn_blockchain'.

Discussion in Namecoin-Forum

Documentation for Namecoin-/Blockchain-newbies:
Wikipedia about Blockchain
Bitcoin.it about Blockchain
Namecoin protocol (Blockchain implementation)
Namecoin Identities
Namecoin client (Source code)
@JeremyRand
Copy link
Member

Hi,

Cool idea. Can you make this issue in https://github.com/namecoin/meta/issues instead, since this isn't specific to the Namecoin-Qt client?

@renne renne mentioned this issue Nov 16, 2014
Open
@renne
Copy link
Author

renne commented Nov 16, 2014

Done. ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JeremyRand @phelixbtc @renne