[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lsd0001] branch master updated: more
[lsd0001] branch master updated: more
Sun, 06 Sep 2020 10:58:16 +0200
This is an automated email from the git hooks/post-receive script.
martin-schanzenbach pushed a commit to branch master
in repository lsd0001.
The following commit(s) were added to refs/heads/master by this push:
new 495b02b more
495b02b is described below
Author: Martin Schanzenbach <email@example.com>
AuthorDate: Sun Sep 6 10:51:46 2020 +0200
draft-schanzen-gns.xml | 50 ++++++++++++++++++++++++++++++++------------------
1 file changed, 32 insertions(+), 18 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index 25530b6..65c7113 100644
@@ -136,14 +136,21 @@
A zone in GNS is defined by a public/private key pair (d,zk),
where d is the private key and zk the corresponding public key.
The contents of a zone are cryptographically signed before
- publishing. Instead of the zone private key "d", the signature MUST
+ being published a Distributed Hash Table (DHT).
+ Records are grouped by their label and encrypted (<xref
+ using an encryption key derived from the label and the zone public key.
+ Instead of the zone private key "d", the signature MUST
be created using a blinded public/private key pair d' and zk'.
This blinding is realized using a Hierarchical Deterministic Key
Derivation (HDKD) scheme.
- Such a scheme allows the zone owner to derivate a private d' and a
+ Such a scheme allows the zone owner to derive a private d' and a
resolver to derive the corresponding public key zk' in a deterministic
manner from the original public and private zone keys as well as a
+ label. This feature prevents zone enumeration and requires knowledge
+ of both "zk" and the queried label to confirm affiliation with a
+ specific zone. At the same time, the blinded "zk'" provides nodes
+ with the ability to verifiy the integrity of the published information
+ without disclosing the originating zone.
The following primitives define a zone in GNS:
@@ -177,12 +184,14 @@
is a HDKD function which blinds a public zone key "zk" of the
- <dt>TLD(zk) -> zkl</dt>
+ <dt>NameSuffix(ztype, zk) -> zkl</dt>
is a function which defines a mapping from zone public key to
a string "zkl" of the respective type.
- It is string which encodes the "ztype" as well as the zone
- key "zk" into one or more labels.
+ It is a string which encodes the "ztype" as well as the zone
+ key "zk" into one or more labels. The "zkl" is used as a
+ globally unique reference to a specific namespace in the
+ process of name resolution.
@@ -763,7 +772,7 @@ q := SHA512 (HDKD-Public(zk, label))
| ZONE TYPE | PUBLIC ZONE KEY |
++-----+-----+-----+-----+ (BLINDED) |
@@ -784,12 +793,17 @@ q := SHA512 (HDKD-Public(zk, label))
The signature is computed over the data following
the PUBLIC KEY field.
- The signature is created using the derived private key "d'" (see
- <xref target="zone_types" />).
+ The signature is created using the derived private key
+ "HDKD-Private(d, label)" (see <xref target="zone_types" />).
- <dt>PUBLIC KEY</dt>
+ <dt>ZONE TYPE</dt>
+ is the 32-bit zone type.
+ <dt>ZONE PUBLIC KEY</dt>
- is the public key "zk'" to be used to verify SIGNATURE.
+ is the blinded public zone key "HDKD-Public(zk, label)"
+ to be used to verify SIGNATURE.
@@ -1512,15 +1526,15 @@ NICK: john (Supplemental)
particular application requires a different process.
- GNS clients SHOULD first try to interpret the top-level domain of
- a GNS name as a zone key.
- For example. if the top-level domain is a label representation of
- a public zone key "zkl", the root zone of the resolution process
- is implicitly given by the name:
+ GNS clients MUST first try to interpret the top-level domain of
+ a GNS name as a zone key representation "zkl := NameSuffix(ztype,
+ If the top-level domain is indicated to be a label representation of
+ a public zone key with a well-defined "ztype" value, the root zone of
+ the resolution process is implicitly given by the suffic of the name:
<artwork name="" type="" align="left" alt=""><![CDATA[
-Example name: www.example.<zkl>
-=> Root zone: zk
+Example name: www.example.<NameSuffix(ztype, zk)>
+=> Root zone: zk of type ztype
=> Name to resolve from root zone: www.example
To stop receiving notification emails like this one, please contact