Interesting idea! Comments in-line:
On May 4, 2025, at 5:52 PM, Demi Marie Obenour via webkit-dev <webkit-dev@lists.webkit.org> wrote:
A major limitation of the Web PKI is that it cannot issue certificates
for devices that do not own a public domain name or IP address. To
solve this problem, I have created a proposal for incorporating a public
key in the domain name itself, allowing a server to be authenticated
without involving a third party. The proposal can be found at
<https://demimarie.github.io/cryptographically-generated-domains.html>.
This idea of using the hash of a public has never gained widespread excitement, but maybe this time is different! The proposal seems to combine some previous ideas around self-authenticating addresses [0] and self-authenticating traditional addresses [1]. I recommend citing the prior work in the proposal for completeness. The Open Questions section mentions Tor’s onion services, and indeed a lot can be learned from them with regard to their addressing scheme. Primarily, cryptographic hashes are not user-friendly, in fact some would consider them user-hostile because they lack any inherent meaning and require byte-for-byte comparison that is tedious. However, the value of 1) uniqueness, 2) self-authentication, and 3) end-to-end security are important characteristics.
Is an implementation of this something that Chromium would be interested
in? I do plan to propose this to the IETF, but first I want to check if
there is interest from browser vendors.
I assume you forgot to replace Chromium with WebKit? :) But, with regard to Chromium, I believe they were exploring usability improvements in the area of supporting top-level HTTPS navigations to devices on a local network that don’t have globally valid TLS certificates. I can’t find the proposal at the moment, though.
I also recommend citing RFC 7686 [3] and CAB ballot 201 [4].
I am interested in seeing if there is broader support of this idea, too.