Opened 5 years ago

Closed 3 years ago

#17040 closed enhancement (duplicate)

Blockchain as Root-CA for human-readable .onion domains

Reported by: renne Owned by:
Priority: Medium Milestone: Tor: very long term
Component: Core Tor/Tor Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The .onion domain has been officially approved as a special domain by the IETF. :)

Onion domains are decentralized and secure inside the TOR network, but not human-meaningful. Human brains have problems to remind and assign them to services. This problem is called Zooko's triangle. ('s_triangle)
The scandals in the last three years with certificate authorities issuing not-validated certificates and intermediate-certificates or being hacked have shown certificate authorities are not reliable which breaks security of SSL/TLS.

The Namecoin project project has proven it's possible to solve Zooko's triangle using a blockchain as distributed database to assign globally-unique self-registered IDs of any format to an asymmetric key-pair of a blockchain wallet. (

So I suggest to use a blockchain as Root-CA.

How it can work:

Registering name/creating certificates:

  1. User uses the TOR-client to create and save (e.g. paper-wallet) an asymmetric wallet key-pair.
  2. User uses the TOR-client to send a registration request for the tuple <self-choosen ID>:<public asymmetric key> to the blockchain network
  3. The nodes in the blockchain-network confirm the registration request
  4. User uses the TOR-client to create X.509 server-certificates with the Common Name '<self-choosen ID>.onion' signed with the <private asymmetric key> of the blockchain wallet
  5. TOR client uses the triple <self-choosen ID>:<public asymmetric key>:<private asymmetric key> from the X.509-certificate to register a hidden-service


  1. The TOR-client can use an overlay-filesystem to present the tuple <self-choosen ID>:<public asymmetric key> from the blockchain as X.509-root-certificate files in the SSL root-certificate-directory of the operating system (e.g. /etc/ssl/certs on Linux).
  1. Authentication applications (e.g. TLS/SSL) find the virtual X.509 root-certficates in the filesystem like any other x.509-certificate.

Child Tickets

Change History (2)

comment:1 Changed 5 years ago by teor

Milestone: Tor: very long term

comment:2 Changed 3 years ago by nickm

Resolution: duplicate
Severity: Normal
Status: newclosed

Closing as duplicate of #10747

Note: See TracTickets for help on using tickets.