[wyager]

I'm honestly kind of surprised how little action there has been to assist with a migration away from the CA model. The technology is there, but people just don't seem interested enough to leverage it.

Systems like Namecoin could serve this purpose marvelously. Powerful devices have direct access to the entire cryptographically authenticated DNS and certificate database. Weak devices can specify whom they trust to provide them with DNS/certificate data, and even those devices get some cryptographic security guarantees thanks to technologies like SPV.

[sarahj]

Why have a single entity at all? Moxie Marlinspike proposed Convergence (https://www.youtube.com/watch?v=Z7Wl2FW2TcA) as a solution - I think that something like that has far more potential wheels to travel than a Namecoin based system.

I should be able to choose who I trust, a notary system would allow me to do just that. No central CA systems.

The biggest concern I can see is Identity management, but, as mentioned by Moxie, most of these CA don't do anything close to proper Identity management any more - I have a number of certificates bought from quite a few different CA's all made out to my rabbit, at no fixed address.

Notaries can, of course, do additional verification - they could even advertise this as a premium.

I don't see why this can't be extended to DNS lookup's either. I trust X notaries and pin the results I get, I can choose to trust a majority, or be hyper paranoid and require everyone to agree. No need to run a power hungry blockchain, no single point of technology failure.

Technically, all of that is feasible today. And I imagine we will see a number of different technologies combined to form a proper, decentralised, system.

[vxNsr]

The project seems to have lost support, the last github commit was over 2 years ago.

Do you know if there was a specific reason or were people just not interested/none of the browsers jumped onboard?

[sarahj]

Most of the energy in this space has gone into http://tack.io/ which has been called "a non-controversial first step" - I believe it is making its way though standards talks at the moment although I have not looked into it for a while.

Personally I think now is good time to revisit assumptions made a few years ago - security and privacy and in particular non-government controlled systems are on many peoples lips.

If I ever clear my current plate, I would be interested in diving into the problem.

[cpach]

For those interested, here’s the latest update from the TACK mailing list: http://slexy.org/view/s20UsKEoRm (January 2014)

[higherpurpose]

From Moxie:

"Convergence is blocking on TACK, which is blocking on browser vendors."

https://twitter.com/moxie/status/451020203099299840

[ivanr]

There should be a clear statement about the status of Convergence on the web site. IIRC, the Firefox extension has been broken for more than a year now. Why? If Mozilla broke their APIs and made it impossible for the extension to work, then we should know about that. Otherwise, what's the excuse for the extension being broken for so long?

Convergence had the momentum, and there was a small but vocal group of people willing to support it. But, due to project mismanagement and lack of communication, that momentum has been lost.

[0x006A]

There are some more active forks like https://github.com/mk-fg/convergence/ but they too seam to not really work in current versions of Firefox.

[y0ghur7_xxx]

I don't understand this. Can someone weight in with an explanation? Convergence works just fine without TACK: I can set up two or more notaries on some VPS somewhere, and my browser would check if the notaries see the same certificate on that server I am trying to connect to as my browser. Seems secure to me: no external CA involved, the certificate on the web server can be self signed, and a MITM attack would need to hack two or more external servers to be successful. How does TACK fit in all of this?

[dvanduzer]

Want to help us work on this problem at http://telehash.org?

[sarahj]

I remember reading something about that before. I just had a quick look around and, while I don't believe I have fully groked the concept it would seem to me that Telehash is solving a different, but related problem.

The web, as a technology is probably not going anywhere for a few more decades at least - people have gotten very used to opening up a web browser - very few actually understand the technology beneath.

The CA/DNS issue is one based solely around them - can I type the domain name I saw on the tv/ my friend gave me/I heard about into a web browser (and these days) and it can direct me (securely) to the page where I can do business.

Telehash seems to fit in on another level. Perhaps one which we are heading towards - a world of machines securely finding and communicating with each other to achieve a goal set for them by some human actor.

This space is becoming more crowded and no good contender has emerged - and I think there is a good reason - they are either too radical as so they can't find a footing, or they are too conservative.

The documentation is slightly lax, but I feel telehash is the latter - it doesn't seem to be solving any problems already solved:

* Space/Storage/Data Transfer - I don't care what anyone says, the blockchain model is simply no scalable, any system where are full client has to hold onto/download gigabytes of information is a non-starter for me.

But still, in any new system - hopefully decentralised, we need to distribute information. Any kind of system we build must be tolerant of partitioning - I think the solution to this is injecting some trust (ala Convergence)

* Speed - Computers work in nanoseconds, the web currently operates in seconds (some sites in milliseconds) - we can't beat the speed of light, but we can certainly start removing the cruft from our communications - HTML, XML, JSON, CSV - are all formats designed for people. We need tools that let us manipulate formats designed for machines.

Our networking protocols are like this as well - as much as people hate ASN.1 it solved some problems decades ago allowing the phone system to scale on just duct tape and wd40

* Power - Blockchain bashing time again - we live in a world of limited, expensive power. We are getting much better at producing low power devices, people like wireless devices. Why should our networks be so power-hungry?

Just a few, rambling thoughts.

[dvanduzer]

Just to be clear, Telehash is a protocol, not an application. The bulk of the documentation is on Github, and so far it's mostly for people implementing the protocol in different languages.

There's no blockchain involved in Telehash. It accomodates various cipher sets, including one suitable for ultra low power devices (there's a partially working implementation for Arduino). And you're correct, it isn't really aimed at enabling anything like trusting a URL from a television commercial.

Telehash is conservative in the sense that it solves useful problems, even within the current DNS infrastructure. No one's currently doing this, but you could easily map a DNS name to a Telehash address. But it also offers global resilience to partitioning, because the logical mesh can operate on any lower level network transport.

I like the multiple notary model of Convergence, but I think any of these trust models still need to separate the "human memorable names" component.

[sarahj]

I was mixing a number of different criticisms of various technologies in my post...I never meant to confer that Telehash has a blockchain.

I guess, I still don't understand the point of Telehash. Even having read through the documentation. "Establishing private communication channels" is definitely a big problem, one with a huge threat model, and the solution is probably multi-faceted - I don't see where a system like Telehash fits in v.s. something like tor or i2p for example - does anonymity fit into the threat model?

Before dragging this thread off the page I will follow up with an email. :)

[dvanduzer]

Hope to hear from you. :)

Telehash's design may simplify the future design of Tor-like protocols, but anonymity is not an intended core feature.

Partition resistance is probably the highest priority. If any possible insecure network path exists, encrypted communication between endpoints should also be possible (and automatic).

[edwintorok]

How does this compare to the following which I've seen mentioned lately:

* sayI [http://www.ethos-os.org/~solworth/sayIgroups-20130614.pdf]

* MinimaLT: http://eprint.iacr.org/2013/310.pdf

* CurveCP: http://curvecp.org/

[dvanduzer]

sayI appears to be the directory service designed for MinimaLT / Ethos. CurveCP looks like it fits in the same use case as MinimaLT. That's where I'd say Telehash lives, too (but I've only skimmed any of these papers so far).

Telehash started out life as a more generalized global DHT-for-your-apps design circa 2010, and the spec has since evolved significantly to include the same kind of wire-level crypto.

Opening an issue is the easiest way to get the FAQ updated (and we'd definitely appreciate the feedback): https://github.com/telehash/telehash.org/issues

[SixSigma]

But I trust your rabbit and it can happily take as many of my dandelions as it wants.

[einhverfr]

I think we should rebuild a PKI on top of DNS also. It shouldn't be that hard to do honestly and it would avoid a lot of this sort of problem.

[wyager]

> Why have a single entity at all?

How do you figure that Namecoin is a "single entity"?

[sarahj]

There is one blockchain. The security of the blockchain requires everyone working very hard to maintain it - while it is made out of many parts it is 1 entity (like an ant colony).

Contrast with something like Convergence, where, while they share a common protocol (maybe...not necessarily) each part is responsible for itself, and not tied to any particular larger whole.

[higherpurpose]

And do you think that makes it inherently less secure than a "free-for-all" system? I think the point of the blockchain is to remove trust and become trustless, while the point of something like this is to keep the trust system, but actually give you some choice of who you trust. It seems a little better, but I think trustless authentication (as in no 3rd party required) would be preferred.

[einhverfr]

Trustless is great for so many things but try answering this question in a trustless environment: "Before I give you my credit card info, how do I know you are who you say you are?"

If you can answer that without trust. .

[vertex-four]

You can know that you are talking to the same named digital identity that you think you are talking to without trust; that's a significant amount of the value of Namecoin. Validating that a digital identity is tied to a specific real world identity is a separate problem.

[dvanduzer]

There's been plenty of action, but you can't turn the whole world on a dime.

Namecoin is fantastic in theory, but has the fatal flaw of using Bitcoin: the fastest number cruncher wins. Some would argue that the strength of Bitcoin's tech is that numerous currencies with different genesis blocks can flourish. That doesn't get us anywhere with naming, though.

Dead horse flog: the CA model's problem is that you can't do federated (global) naming and federated trust in the same system.

[wyager]

>the fastest number cruncher wins.

What's the issue with that? It's reasonable to assume that the good number crunchers will always have more power than the bad number crunchers, and if that assumption ever fails, it's easy to detect and we're simply back to CA levels of security.

[dvanduzer]

Philosophically, "good number crunchers" just means "tyranny of the majority."

Environmentally, that number crunching is a colossal waste of energy. We don't need to base our entire economy on that kind of energy footprint just because we occasionally want to make anonymous global barter convenient.

[jrockway]

The migration away from the CA model is called "certificate pinning". Chrome uses it for high-value sites, and you use it whenever you ssh somewhere and the key's fingerprint is in your .ssh/known_hosts file.

[wyager]

>The migration away from the CA model is called "certificate pinning".

TOFU/POP is not an effective model for the web. There are simply too many sites for it to be useful. It's pretty much an everyday occurrence that I go to a site I've never been to before, and certificate pinning won't help at all there.

[tptacek]

First, "TOFU/POP" has a real name; it's "key continuity". Second, certificate pinning as implemented in Chrome doesn't depend directly on key continuity. Third, key continuity destroys the incentive to attack sites by compromising CAs, because even if you're hitting a site for the first time, many of the 10,000 other people hitting it from the same browser at around the same time aren't, and they'll detect the bogus cert. That only has to happen once for Google to put a gun to the rogue CA's temple.

[wyager]

>First, "TOFU/POP" has a real name; it's "key continuity".

I am aware of both names, thank you.

>That only has to happen once for Google to put a gun to the rogue CA's temple.

Google can't really help in every single case. There are many situations where Google's revocation scheme can't keep up.

You also have to put a lot of trust in Google. You think Google is going to issue a revocation if they're under legal pressure not to?

As you are aware, human factors are frequently the weakest parts in a cryptosystem.

[tptacek]

I don't understand your comment. Google doesn't revoke keys. It revokes whole CAs.

[einhverfr]

Well, what Google does is it gets a list of revoked certs from CA's, decides which ones are "really important" and sends those to the browser. So yes, in effect, Google decides which certificates are revoked. It's all covered in the article.

[y0ghur7_xxx]

> certificate pinning as implemented in Chrome doesn't depend directly on key continuity.

But it's unsuitable for the entirety of the web. You can't hardcode all certificate fingerprints of the whole internet inside the browser.

>> The migration away from the CA model is called "certificate pinning".

> key continuity destroys the incentive to attack sites by compromising CAs

We need to ELIMINATE CAs (CA as in some third party (google, Verysign, GoDaddy, ...) who you have to trust). The whole concept of trusting a CA is broken, and pinning does nothing to address that, at least not in the proposed TACK implementation.

[tptacek]

That's true, you can't hardcode certificate fingerprints for every site. Hence, TACK.

[y0ghur7_xxx]

Yes, but TACK, even if it's a big step forward, does not address the main problem: we need to get rid of a central authority we have to trust. And TACK does nothing to address that. And neither does Certificate Transparency as proposed by Google.

I really feel the correct step forward is Convergence or Perspectives. If just browser vendors would jump in, we could use it right away. Mozilla/Google could set up a few notaries and set them as trusted by default in the browser. They choose the CAs they put in our browsers anyway, so we trust them already. That trust could be implemented with notaries instead of the CA model, so if someone wants to setup their own notaries they can.

What's your take on this? I value your opinion on security matters.

[rwallace]

If Namecoin is anywhere near as insecure as Bitcoin, it's a nonstarter. Yes, I know the cryptography underlying Bitcoin is secure, but as a matter of practical fact, Bitcoin itself as an end-user technology is hopelessly insecure. It's one thing having an endless stream of people waking up to find their bitcoins are irrevocably gone because someone hacked the computer, but we can't have domain names being irrevocably lost in the same way.

Does Namecoin actually work like that? If so, is there a similar alternative that doesn't?