We have to store the following information:
- pubkey (32 byte)
- pubkeyRotate (32 byte)
- validity: from, to (16 byte)
- counter (8 byte)
- head (32 byte)
- signature (64 byte)
The protocol shall define a global maximum validity.
See SSOT package.
TODO:
- TLD should allow DNSSEC (all of them?)
- Registar should support DNSSEC
- DNSSEC should be activated
- publisher attack: not possible
- DNS poisoning:
- user saw key before: failed
- user didn't see key before: success (can be mitigated with DNSSEC)
This gives us
- globally identical,
- verifiable,
- reproducible, and
- attributable
Go binaries!