Long Term R&D: Decentralized CA and DNS (proposal)

1. Summary

This is a motion proposal for the long-term R&D of the DFINITY Foundation, as part of the follow-up to this post: Motion Proposals on Long Term R&D Plans (Please read this post for context).

This project’s objective

The Internet Computer offers dapp developers a possibility to build and host Web dapps on the Internet Computer that are served completely end-to-end through blockchain to any browser.

To ensure end-2-end security and verifiability of such content one needs to make decentralized blockchain-based certification compatible with the built-in browser tooling and verification mechanisms. Currently, this is achieved by using additional software, service workers, certified by “Let’s Encrypt”, which is one of the centralized certificate authorities accepted by browsers.

This project aims to provide mechanisms that ensure seamless verification of the content that is served from the Internet Computer blockchain to any browser and guarantee end-2end security without additional tooling, using built-in tools only. This includes making the IC a decentralized Certificate Authority and providing a decentralized DNS on the IC.

2. Discussion lead

Maria Dubovitskaya

3. How this R&D proposal is different from previous types

Previous motion proposals have revolved around specific features and tended to have clear, finite goals that are delivered and completed. They tended to be measured in days, weeks, or months.

These motion proposals are different and are defining the long-term plan that the foundation will use, e.g., for hiring and organizational build-out. They have the following traits and patterns:

  1. Their scope is years, not weeks or months as in previous NNS motions
  2. They have a broad direction but are active areas of R&D so they do not have an obvious line of execution.
  3. They involve deep research in cryptography, networking, distributed systems, language, virtual machines, operating systems.
  4. They are meant to match the strengths of where the DFINITY foundation’s expertise is best suited.
  5. Work on these proposals will not start immediately.
  6. There will be many follow-up discussions and proposals on each topic when work is underway and smaller milestones and tasks get defined.

An example may be the R&D for “Scalability” where there will be a team investigating and improving the scalability of the IC at various stages. Different bottlenecks will surface and different goals will be met.

3. How this R&D proposal is similar to what we have seen

We want to double down on the behaviors we think have worked well. These include:

  1. Publicly identifying owners of subject areas to engage and discuss their thinking with the community
  2. Providing periodic updates to the community as things evolve, milestones reached, proposals are needed, etc…
  3. Presenting more and more R&D thinking early and openly.

This has worked well for the last 6 months so we want to repeat this pattern.

4. Next Steps

Developer forum intro posted
1-pager from the discussion lead posted
NNS Motion proposal submitted

5. What we are asking the community

  • Ask questions
  • Read 1-pager
  • Give feedback
  • Vote on the motion proposal

Frankly, we do not expect many nitty-gritty details because these are meant to address projects that go on for long time horizons.

The DFINITY foundation’s only goal is to improve the adoption of the IC so we want to sanity-check the projects we see necessary for growing the IC by having you (the ICP community) tell us what you all think of these active R&D threads we have.

6. What this means for the existing Roadmap or Projects

In terms of the current roadmap and proposals executed, those are still being worked on and have priority.

An intellectually honest way to look at this long-term R&D project is to see them as the upstream or “primordial soup” from which more baked projects emerge from. With this lens, these proposals are akin to asking, “what kind of specialties or strengths do we want to make sure DFINITY foundation has built up?”

Most (if not all) projects that the DFINITY foundation has executed or is executing are borne from long-running R&D threads. Even when community feedback tells the foundation, “we need X” or “Y does not work”, it is typically the team with the most relevant R&D area that picks up the short-term feature or project.

4 Likes

Please note:

Some folks gave asked if they should vote to “reject” any of the Long Term R&D projects as a way to signal prioritization. The answer is simple: “No, please, ACCEPT” :wink:

These long-term R&D projects are the DFINITY’s foundation’s thesis at R&D threads it should have across years (3 years is the number we sometimes use internally). We are asking the community to ACCEPT (pending 1-pager and more community feedback of course). Prioritization can come at a separate step.

1 Like

Decentralized CA and DNS (One-pager)

Summary

Background: The Internet Computer (IC) offers dapp developers a possibility to build and host Web dapps on the Internet Computer that are served completely end-to-end from the blockchain to a browser.

To ensure end-2-end security and verifiability of such content one needs to make decentralized blockchain-based certification compatible with the built-in browser tooling and verification mechanisms. Currently this is achieved by using additional software, so called service workers, certified by “Let’s Encrypt”, which is one of the centralized certificate authorities (CA) accepted by browsers. There are also no built-in mechanisms to use custom domains for canister smart contracts running on Internet Computer.

Objective: This project aims to provide mechanisms that ensure custom domain names and seamless verification of the content that is served from the Internet Computer blockchain to any browser and guarantee end-2-end security without additional tooling, using built-in mechanisms only. This includes making the IC a decentralized Certificate Authority and providing a decentralized DNS on the IC.

Why this is important and why the DFINITY Foundation should make this a long-running R&D project

All current PKI systems used by the browsers assume centralized trusted third parties to serve as roots of trust (certificate authorities). To achieve true decentralization it is important to enable a decentralized system to act as a root of trust and interface with the current tooling to allow using it seamlessly and securely.

Becoming a decentralized CA is not just technically challenging: besides implementing cryptographic operations in a distributed fashion (for example, using threshold signatures instead of simple signatures) it also requires work and cooperation with browser manufacturers to complete the process of becoming a (root) CA supported by different browsers. The latter especially takes time and also support from the legal and compliance teams.

Key milestones & topics under this project

The project aims to achieve this goal via multiple steps (milestones):

  1. Make the Internet Computer serve as a decentralized CA
    1.1 Technical enablement:

    • Develop and implement multi-party computation protocols for TLS handshake
    • Develop and implement multi-party computation protocols for certifying the content (this includes the threshold ECDSA work that is in progress)

    1.2. Process and registration:

    • Apply to serve as a subordinate CA
    • Apply to serve as a root CA (to be able to certify any domain).
  2. Enable decentralized DNS support for canister smart contracts hosted on IC

  3. Ensure seamless content verification support for different platforms and browsers (via web or native Apps) with strong security guarantees. This includes integration with boundary nodes (see also Boundary Node project proposal).

People involved

Discussion leads: @maria @bitdivine @bjoern

Skills and Expertise necessary to accomplish this

The problems described above require the cooperation of different experts: from researchers and engineerings working on Cryptography, PKI, Networking, and Web technologies (to build the technical foundation) to specialists in Security, Compliance and Legal (to ensure that the Internet Computer can serve as a decentralized CA and DNS service).

What we are asking the community

Please review this proposal and provide us with any feedback you have regarding the boundary nodes. Please also review the other related proposals on trusted execution environments and boundary nodes. We invite you to engage in the discussion and hope it will be fruitful and useful for the IC community and for the future edge framework of the IC.

4 Likes

Proposal is live: Internet Computer Network Status

Would the DNS service only be accessible by other canisters, or would it be capable of functioning as a drop-in replacement to existing DNS servers on end-user machines?

2 Likes
  1. Ensure seamless content verification support for different platforms and browsers (via web or native Apps) with strong security guarantees. This includes integration with boundary nodes (see also Boundary Node project proposal).

By content verification, do you simply refer to the security guarantees made by TLS (i.e. confidentiality, server authentication, and message integrity), or is there something beyond that?

1 Like