A bit ago, I came up with an idea for self-verifying domain names:
Create the domain:
Generate a keypair
Hash the pubkey
Convert that hash to a list of words (e.g. BIP-39) separated by dashes (e.g. word1-word2-...)
Register that word-list as your domain name (e.g. word1-word2-...-word-23-word24.com). [0]
Self-sign an TLS certificate with the above generated keypair for that domain name.
Connect to the domain:
Client connects to the domain name.
Server provides it's self-signed TLS certificate.
Client verifies the certificate by comparing the pubkey, the domain name (which is a hash of that pubkey), and the signature in the TLS certificate.
If everything matches, then the TLS connection proceeds as normal.
This protocol would be added to the certificate verification process of TLS. It would be used in situations where a short/memorable domain name is not needed (e.g. backend servers, Nostr nodes, etc).
One big flaw is that a change to the certificate would require a change of domain name. That would happen in the event of a private key leak or when you decide to upgrade the security of your certificate (e.g. going from a 2048 bit key to a 4096 bit key).
[0] The maximum length for domain names is 253 ASCII characters. The words in the English BIP-39 wordlist are all =<8 characters (and shorter on average), so length shouldn't be an issue.
A bit ago, I came up with an idea for self-verifying domain names:
Create the domain:
Connect to the domain:
This protocol would be added to the certificate verification process of TLS. It would be used in situations where a short/memorable domain name is not needed (e.g. backend servers, Nostr nodes, etc).
One big flaw is that a change to the certificate would require a change of domain name. That would happen in the event of a private key leak or when you decide to upgrade the security of your certificate (e.g. going from a 2048 bit key to a 4096 bit key).
[0] The maximum length for domain names is 253 ASCII characters. The words in the English BIP-39 wordlist are all =<8 characters (and shorter on average), so length shouldn't be an issue.