There is actually a fifth type of name, escaped names. Right now, the only 
names we have of this type are SRV protocol tags, ( and 
internationalized names (xn—

I want to add a third set of escaped names, one that has similar functionality 
to .onion but does not leak as much information.​f--​b2gk​6​-​duf5​y​-​gyyl​​-jn5e​d​

This is a strong domain name and to interpret it we require a policy that is 
validated under the UDF fingerprint b2gk​6​-​duf5​y​-​gyyl​​-jn5e​d​. This in 
turn is a base 32 encoding of 92 bits of digest value plus an 8 bit version 
string. The fingerprint is over a content type identifier plus some content as 
specified here. 

The content is typically going to be some sort of cryptographic key (PGP, PKIX, 
SSH, JOSE, whatever) that signs some sort of assertion that states how the 
address ‘’ is to be interpreted.

The trick here is that we can now bind security policy direct to any DNS name 
without having to muck about with DNSSEC, or for that matter any other PKI 
standard other than the particular standard we want.

Lets say that Alice is using OpenPGP and her OpenPGPv5 key is 
mw83i-32ri4-83klq-3odp3. We can form an address from that:

Now that isn’t an address that we can interpret without access to Alice’s 
public key. Which is actually what I kinda want because I am fed up of spam. 
The fact that I give you my address does not mean I want just anyone being able 
to use it.

In the ordinary course of business, my ‘strong name aware’ mailer knows that it 
has to resolve mf--mw83i-32ri4-83klq-3odp3 somehow before it can use that email 
address. If I just type it into Outlook, the client will happily pass it on to 
my mail server and then it will get ‘stuck’ unless the mail system can figure 
out how to use that address. Which is exactly what you would want to happen 
with confidential mail.

If the address can be resolved, the result is normally going to be a policy 
that says what protocols the address can be used with and how.

Now, naturally, a split horizon DNS would be one natural place to provide 
access to a resolution service, but it need not be the only one.

The use of strong DNS names represents a major step forward in achieving a 
genuinely decentralized Web. Instead of there being an institution at the trust 
apex of the Internet, there is a digest function and a PKI scheme.

> On Sep 16, 2016, at 2:13 PM, John Levine <> wrote:
>> The drafts are:
> Having read them both, neither one thrills me but I'd give the nod to
> adpkja.  The "Internet Names" in tldr seems to me a bad idea, since
> there are a lot of other names on the Internet such as URIs and handle
> system names, and this is about domain names.
> It seems to me there are four kinds of names we have to worry about, and
> neither draft calls them all out clearly:
> * Names resolved globally with the DNS protocol, i.e.
>  ordinary DNS names
> * Names resolved globally with an agreed non-DNS protocol, e.g.
>  .onion via ToR
> * Names resolved locally with an agreed non-DNS protocol, e.g,
>  .local via mDNS
> * Names resolved locally with unknown protocols, e.g. .corp and
>  .home, the toxic waste names
> R's,
> John
> _______________________________________________
> DNSOP mailing list

DNSOP mailing list

Reply via email to