[webkit-dev] Interest in supporting cryptographically-generated domain names?
Matthew Finkel
sysrqb at apple.com
Mon May 5 07:44:07 PDT 2025
Hi Demi,
Interesting idea! Comments in-line:
> On May 4, 2025, at 5:52 PM, Demi Marie Obenour via webkit-dev <webkit-dev at lists.webkit.org> wrote:
>
> A major limitation of the Web PKI is that it cannot issue certificates
> for devices that do not own a public domain name or IP address. To
> solve this problem, I have created a proposal for incorporating a public
> key in the domain name itself, allowing a server to be authenticated
> without involving a third party. The proposal can be found at
> <https://demimarie.github.io/cryptographically-generated-domains.html>.
This idea of using the hash of a public has never gained widespread excitement, but maybe this time is different! The proposal seems to combine some previous ideas around self-authenticating addresses [0] and self-authenticating traditional addresses [1]. I recommend citing the prior work in the proposal for completeness. The Open Questions section mentions Tor’s onion services, and indeed a lot can be learned from them with regard to their addressing scheme. Primarily, cryptographic hashes are not user-friendly, in fact some would consider them user-hostile because they lack any inherent meaning and require byte-for-byte comparison that is tedious. However, the value of 1) uniqueness, 2) self-authentication, and 3) end-to-end security are important characteristics.
>
> Is an implementation of this something that Chromium would be interested
> in? I do plan to propose this to the IETF, but first I want to check if
> there is interest from browser vendors.
I assume you forgot to replace Chromium with WebKit? :) But, with regard to Chromium, I believe they were exploring usability improvements in the area of supporting top-level HTTPS navigations to devices on a local network that don’t have globally valid TLS certificates. I can’t find the proposal at the moment, though.
I also recommend citing RFC 7686 [3] and CAB ballot 201 [4].
I am interested in seeing if there is broader support of this idea, too.
[0] https://spec.torproject.org/rend-spec/encoding-onion-addresses.html
[1] https://www.researchgate.net/publication/337510353_Self-Authenticating_Traditional_Domain_Names
[3] https://www.rfc-editor.org/rfc/rfc7686.html
[4] https://cabforum.org/2017/06/08/ballot-201-.onion-revisions/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20250505/fbd8aba9/attachment-0001.htm>
More information about the webkit-dev
mailing list