If I don't have to see another self signed cert or subnet for the rest of my life ...
You've reminded me that I need to write an essay on a PKI scheme I've been thinking about. The essence of it is that a domain name would be a hash of the public key in the certificate for that domain name. For the moment, I'm calling this Self-Authenticating Domain Names (SADN).
No purchase of a CA's signature; and no tortue of making/distributing self-signed certs. All you'd need to do is generate a SADN cert and buy a domain from a registrar using the hash of that cert's public key (e.g. b9c50f5a670a4da91785aa672e504a81.com).
The use-case for SADNs is for things like backend servers and Nostr relays, where succinctness of domain names is irrelevant.
The primary problem that I haven't worked out yet is key revokation. That is, if the private key is leaked, then you'd have to change the domain name. Since this is for backend stuff, I don't think changing domains would be devastating.
reply
deleted by author
reply