[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lsd0001] branch master updated: tone down governance
|
From: |
gnunet |
|
Subject: |
[lsd0001] branch master updated: tone down governance |
|
Date: |
Sun, 07 Aug 2022 17:33:40 +0200 |
This is an automated email from the git hooks/post-receive script.
martin-schanzenbach pushed a commit to branch master
in repository lsd0001.
The following commit(s) were added to refs/heads/master by this push:
new 7e54cde tone down governance
7e54cde is described below
commit 7e54cdeb9cdd673b474d20493b204bc0d9b395bf
Author: Martin Schanzenbach <schanzen@gnunet.org>
AuthorDate: Sun Aug 7 17:33:38 2022 +0200
tone down governance
---
draft-schanzen-gns.xml | 96 ++++++++++++++++++++++++++++++--------------------
1 file changed, 57 insertions(+), 39 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index 35cbd49..94942c2 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -89,10 +89,9 @@
<t>
This document contains the GNU Name System (GNS) technical
specification.
- GNS is a decentralized and censorship-resistant name
- system that provides a privacy-enhancing alternative to the Domain
- Name System (DNS).
- <!-- GNS is more. it is also extensible and more flexible -->
+ GNS is a decentralized and censorship-resistant domain name
+ resolution protocol that provides a privacy-enhancing alternative to the
+ Domain Name System (DNS) protocols.
</t>
<t>
This document defines the normative wire format of resource records,
@@ -114,57 +113,36 @@
<t>
The Domain Name System (DNS) <xref target="RFC1035" /> is a unique
distributed database and a vital service for most Internet applications.
- While DNS is distributed, in practice it
- relies on centralized, trusted registrars to provide globally unique
- names. As the awareness of the central role DNS plays on the Internet
- rises, various institutions are using their power (including legal
means)
- to engage in attacks on the DNS, thus threatening the global
availability
- and integrity of information on the Internet.
- </t>
- <t>
- DNS was not designed with security in mind. This makes it very
+ However, it was not designed with security in mind. This makes it very
vulnerable, especially to attackers that have the technical capabilities
of an entire nation state at their disposal.
- While a wider discussion of this issue is out of scope for this
document,
- analyses and investigations can be found in recent academic research
- works including <xref target="SecureNS"/>.
</t>
<t>
This specification describes a censorship-resistant, privacy-preserving
- and decentralized name system: The GNU Name System (GNS) <xref
target="GNS" />.
- It is designed to provide a secure, privacy-enhancing alternative to
- DNS, especially when censorship or manipulation is encountered.
- In particular, it directly addresses concerns in DNS with respect to
"Query
- Privacy", the "Single Hierarchy with a Centrally Controlled Root" and
- "Distribution and Management of Root Servers" as raised in
- <xref target="RFC8324"/>.
+ and decentralized domain name resolution protocol:
+ The GNU Name System (GNS), a development continuation of
+ previous academic work on secure name systems <xref target="GNS" />.
GNS can bind names to any kind of
cryptographically secured token, enabling it to double in some respects
as
an alternative to some of today’s Public Key Infrastructures, in
particular X.509 for the Web.
</t>
<t>
- The design of GNS incorporates the capability to integrate and
- coexist with DNS.
- GNS is based on the principle of a petname system where users can assign
+ The design of GNS incorporates the capability to interoperate with the
+ DNS protocol.
+ It is based on the principle of a petname system where users can assign
names to zones.
It builds on ideas from the Simple Distributed Security
- Infrastructure <xref target="SDSI" />, addressing a central issue with
the decentralized
- mapping of secure identifiers to memorable names: namely the
impossibility
- of providing a global, secure and memorable mapping without a trusted
- authority. GNS uses the transitivity in the SDSI design to replace the
- trusted root with secure delegation of authority thus making petnames
- useful to other users while operating under a very strong adversary
model.
+ Infrastructure <xref target="SDSI" />, enabling the decentralized
+ mapping of secure identifiers to memorable names.
</t>
<t>
- This is an important distinguishing factor from the Domain Name System
- where root zone governance is centralized at the Internet Corporation
- for Assigned Names and Numbers (ICANN).
In DNS terminology, GNS roughly follows the idea of a local
- root zone deployment (see <xref target="RFC8806"/>), with the
difference that it is not
- expected that all deployments use the same root zone,
- and that users can easily delegate control of arbitrary domain names to
- arbitrary zones.
+ root zone deployment (see <xref target="RFC8806"/>), with the difference
+ that the protocol defined here does not mandate that all deployments use
+ the same root zone.
+ Users can easily delegate control of arbitrary domain names to
+ arbitrary zones through their local configurations.
</t>
<t>
This document defines the normative wire format of resource records,
resolution processes,
@@ -2751,6 +2729,46 @@ NICK: john (Supplemental)
zone keys do become public during revocation.
</t>
</section>
+ <section anchor="sec_governance">
+ <name>Zone Governance</name>
+ <t>
+ While DNS is distributed, in practice it
+ relies on centralized, trusted registrars to provide globally unique
+ names. As the awareness of the central role DNS plays on the
Internet
+ rises, various institutions are using their power (including legal
means)
+ to engage in attacks on the DNS, thus threatening the global
availability
+ and integrity of information on the Internet.
+ While a wider discussion of this issue is out of scope for this
document,
+ analyses and investigations can be found in recent academic research
+ works including <xref target="SecureNS"/>.
+ </t>
+ <t>
+ GNS is designed to provide a secure, privacy-enhancing alternative
to the
+ DNS name resolution protocol, especially when censorship or
manipulation
+ is encountered.
+ In particular, it directly addresses concerns in DNS with respect to
+ query privacy.
+ However, depending on the governance of the root zone, any
deployment
+ will likely suffer from the issues of a
+ "Single Hierarchy with a Centrally Controlled Root" and
+ "Distribution and Management of Root Servers" as raised in
+ <xref target="RFC8324"/>.
+ In the Domain Name System root zone governance is centralized at the
+ Internet Corporation for Assigned Names and Numbers (ICANN).
+ GNS can be used to leverage the transitivity in the SDSI design to
+ replace the trusted root with secure delegation of authority thus
+ making petnames useful to other users while operating under a very
+ strong adversary model.
+ By building on the ideas from SDSI, GNS allows to address a central
+ issue with the decentralized mapping of secure identifiers to
memorable
+ names: namely the impossiblity of providing a global, secure and
+ memorable mapping without a trusted authority.
+ </t>
+ <t>
+ Any GNS implementation <bcp14>MAY</bcp14> provide a default
+ governance model in the form of an initial start zone mapping.
+ </t>
+ </section>
<section anchor="namespace_ambiguity">
<name>Namespace Ambiguity</name>
<t>
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lsd0001] branch master updated: tone down governance,
gnunet <=