Broader uses of DNS handles. #3480
hallambaker
started this conversation in
Protocol (atproto)
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I have been looking at broader applications of DNS handles beyond ATprotocol. The following whitepaper summarizes my current approach:
https://www.ietf.org/archive/id/draft-hallambaker-any-00.html
You can also comment on the document on the MPlace2.social forum which demonstrates the use of DNS handles for login. You can visit the site and leave comments using your Blue Sky handle:
https://mplace2.social/
My goal is to go beyond that and add end-to-end communications so people can do what they do with signal, telegram, email, dropbox, ssh, git, sign code etc etc all using the same DNS handle. To do this, I need a more flexible PKI than the one provided by PLC DIDs. Fortunately, I have that already written.
So doing ATprotocol, my DNS looks like this:
_atproto.phill.hallambaker.com. IN TXT "did=did:plc:k647x4n6h3jm347u3t5cm6ki"
phill.hallambaker.com. A 178.62.79.124
The A record is for my personal place on the Web where you can also leave comments using your DNS handle.
Extending the functionality makes the _atproto approach look somewhat unsatisfactory. At present, clients have to resolve the resource server metadata to locate the authorization service. But they don't actually care about the resource server unless they are doing ATprotocol. And the user might have better means of authenticating themselves so if a client is only interested in authentication, they can bypass the OAuth completely [my Mathematical Mesh protocols provide for advanced two factor authentication].
So, I think the DNS records should start with a directory record listing all the services supported by the handle. In my case, it can be used with ATprotocol, OAuth directly, mesh communications and there is a https site bound:
_handle.phill.hallambaker.com. IN TXT "atproto oauth mesh https"
After resolving the _handle record, a client can fetch additional data on OAuth or Mesh.
_oauth.phill.hallambaker.com. IN TXT "did=did:plc:k647x4n6h3jm347u3t5cm6ki oauth=https://bsky.social"
_mesh.phill.hallambaker.com. IN TXT "[email protected]"
_atproto.phill.hallambaker.com. IN TXT "did=did:plc:k647x4n6h3jm347u3t5cm6ki"
phill.hallambaker.com. A 178.62.79.124
Mesh handles have some similarities to PLC but instead of being the fingerprint of an ECDSA384 key, they are the fingerprint of a list of root keys: Ed255129, Ed448, ECDSA521, ML-DSA-87. The Mesh is designed to meet and exceed NIST/NSA requirements.
Beta Was this translation helpful? Give feedback.
All reactions