Build DNS-published cryptographic identity system

README.adoc

@@ -1 +1,217 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+// SPDX-FileCopyrightText: 2024 Hyperpolymath
+= Explicit Trust Plane
+:author: Hyperpolymath
+:email: hyperpolymath@proton.me
+:revnumber: 1.0.0
+:revdate: 2024-12-28
+:toc: left
+:toclevels: 3
+:icons: font
+:source-highlighter: rouge
 
+image:https://img.shields.io/badge/license-AGPL--3.0--or--later-blue[License]
+image:https://img.shields.io/badge/status-active-green[Status]
+image:https://img.shields.io/badge/DNSSEC-required-red[DNSSEC]
+
+== Overview
+
+*Explicit Trust Plane* is a framework for DNS-published cryptographic identity, treating DNS as a decentralized public key infrastructure (PKI) rather than merely a naming system.
+
+[source]
+----
+┌─────────────────────────────────────────────────────────────────┐
+│                   EXPLICIT TRUST PLANE                          │
+│                                                                  │
+│   Your cryptographic identity, published via DNS                │
+│                                                                  │
+│   ┌─────────┐   ┌─────────┐   ┌─────────┐   ┌─────────┐        │
+│   │  X.509  │   │ OpenPGP │   │ X25519  │   │  DANE   │        │
+│   │  Ed448  │   │ Ed25519 │   │   KEX   │   │  TLSA   │        │
+│   └────┬────┘   └────┬────┘   └────┬────┘   └────┬────┘        │
+│        │             │             │             │              │
+│        └─────────────┴──────┬──────┴─────────────┘              │
+│                             │                                    │
+│                      ┌──────▼──────┐                            │
+│                      │    DNS      │                            │
+│                      │  + DNSSEC   │                            │
+│                      └─────────────┘                            │
+└─────────────────────────────────────────────────────────────────┘
+----
+
+== Features
+
+* *Modern Cryptography* - Ed448, Ed25519, X25519 (no legacy RSA required)
+* *Algorithm-Agile* - Ready for post-quantum migration
+* *Self-Sovereign Identity* - No centralized key servers
+* *Reproducible* - Scripted key generation and DNS export
+* *Explicit Role Separation* - Signing vs key exchange vs identity
+
+== Quick Start
+
+[source,bash]
+----
+# Clone the repository
+git clone https://github.com/hyperpolymath/explicit-trust-plane.git
+cd explicit-trust-plane
+
+# Generate all cryptographic materials for your domain
+./scripts/generate-ca.sh yourdomain.com
+./scripts/generate-cert.sh yourdomain.com
+./scripts/generate-kex.sh yourdomain.com
+./scripts/generate-pgp.sh "Your Name" "you@yourdomain.com"
+
+# Export DNS records
+./scripts/export-dns.sh yourdomain.com
+
+# View the generated zone file
+cat dns/records/yourdomain.com.zone
+----
+
+== Project Structure
+
+[source]
+----
+explicit-trust-plane/
+├── ca/                     # Certificate Authority materials
+│   ├── root/               # Ed448 Root CA (KEEP OFFLINE!)
+│   │   ├── ca-ed448.key    # Private key (HSM recommended)
+│   │   ├── ca-ed448.crt    # Root certificate
+│   │   └── ca-ed448.crt.b64 # Base64 for DNS
+│   └── intermediate/       # Ed448 Intermediate CA
+│       ├── intermediate-ed448.key
+│       ├── intermediate-ed448.crt
+│       └── chain.crt       # Full certificate chain
+├── certs/                  # End-entity certificates
+│   ├── *.key               # Ed25519 private keys
+│   ├── *.crt               # Certificates
+│   └── *.crt.b64           # Base64 for DNS CERT records
+├── pgp/                    # OpenPGP keys
+│   ├── *.asc               # ASCII armored public keys
+│   ├── *.pgp               # Binary public keys
+│   └── *.pgp.b64           # Base64 for DNS CERT records
+├── kex/                    # Key exchange materials
+│   ├── *.x25519.key        # X25519 private keys
+│   └── *.x25519.pub.b64    # Base64 for IPSECKEY records
+├── dns/                    # DNS zone files
+│   └── records/            # Generated zone includes
+├── scripts/                # Automation scripts
+│   ├── generate-ca.sh      # Create CA hierarchy
+│   ├── generate-cert.sh    # Create server certificates
+│   ├── generate-pgp.sh     # Create OpenPGP keys
+│   ├── generate-kex.sh     # Create X25519 keys
+│   ├── export-dns.sh       # Export all as DNS records
+│   └── rotate-keys.sh      # Key rotation with backup
+└── docs/                   # Documentation
+    ├── DESIGN.adoc         # Architecture & rationale
+    └── DEPLOYMENT.adoc     # End-to-end deployment guide
+----
+
+== Algorithm Selection
+
+[cols="1,1,2,2"]
+|===
+| Algorithm | Type | Use Case | DNS Record Type
+
+| Ed448
+| Signature
+| Long-term CA certificates
+| CERT (PKIX)
+
+| Ed25519
+| Signature
+| Server certs, PGP signing
+| CERT (PKIX/PGP)
+
+| X25519
+| Key Exchange
+| TLS 1.3, VPN bootstrap
+| IPSECKEY
+
+| SHA-256
+| Hash
+| TLSA fingerprints
+| TLSA
+|===
+
+IMPORTANT: These are *different cryptographic objects*, not one key encoded multiple ways.
+
+== DNS Record Types
+
+=== CERT Records (RFC 4398)
+
+[source,dns]
+----
+; X.509 Certificate
+_cert.example.com.  IN  CERT  PKIX 0 0 <base64-certificate>
+
+; OpenPGP Key
+_pgp.example.com.   IN  CERT  PGP 0 0 <base64-pgp-key>
+----
+
+=== IPSECKEY Records (RFC 4025)
+
+[source,dns]
+----
+_ipsec.example.com.  IN  IPSECKEY  10 0 2 . <base64-x25519-pubkey>
+----
+
+=== TLSA Records (RFC 6698 - DANE)
+
+[source,dns]
+----
+_443._tcp.example.com.  IN  TLSA  3 1 1 <sha256-fingerprint>
+----
+
+== Security Requirements
+
+[CAUTION]
+====
+*DNSSEC is mandatory.* Without DNSSEC, DNS-published keys can be spoofed via cache poisoning attacks.
+====
+
+* *No MD5/SHA1* - SHA-256 minimum for all operations
+* *HTTPS only* - No HTTP URLs in any configuration
+* *HSM for CA keys* - Root CA private key must be offline
+* *Key rotation* - Automated rotation scripts provided
+
+== Minimum Viable Set
+
+For a single domain, you need:
+
+1. *1× Ed448 Root CA* - Offline, 10-year validity
+2. *1× Ed25519 Server Cert* - For TLS authentication
+3. *1× X25519 Key* - For TLS 1.3 key exchange
+4. *1× OpenPGP Key* - For human identity
+
+== Documentation
+
+* link:docs/DESIGN.adoc[Design Document] - Full architecture and rationale
+* link:docs/DEPLOYMENT.adoc[Deployment Guide] - End-to-end deployment walkthrough
+
+== Prerequisites
+
+* OpenSSL 3.0+ (Ed448/Ed25519 support)
+* GnuPG 2.2+ (modern ECC support)
+* DNSSEC-enabled DNS zone
+
+Check your versions:
+[source,bash]
+----
+openssl version  # OpenSSL 3.0.0 or later
+gpg --version    # gnupg 2.2.0 or later
+----
+
+== License
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+
+This project is licensed under the GNU Affero General Public License v3.0 or later.
+
+== Contributing
+
+See link:CONTRIBUTING.md[CONTRIBUTING.md] for guidelines.
+
+== Author
+
+Hyperpolymath <hyperpolymath@proton.me>

dns/zone.template

@@ -0,0 +1,181 @@
+; SPDX-License-Identifier: AGPL-3.0-or-later
+; SPDX-FileCopyrightText: 2024 Hyperpolymath
+;
+; Explicit Trust Plane - DNS Zone Template
+;
+; INSTRUCTIONS:
+; 1. Replace <DOMAIN> with your actual domain
+; 2. Generate cryptographic materials using scripts/
+; 3. Run scripts/export-dns.sh to generate actual records
+; 4. Copy or include the generated records in your zone
+;
+; IMPORTANT: Enable DNSSEC before deploying these records!
+
+$ORIGIN <DOMAIN>.
+$TTL 3600
+
+; =============================================================================
+; STANDARD DNS RECORDS (for reference)
+; =============================================================================
+
+; SOA and NS records - customize for your setup
+; @           IN  SOA   ns1.<DOMAIN>. hostmaster.<DOMAIN>. (
+;                         2024122801 ; serial (YYYYMMDDNN)
+;                         3600       ; refresh (1 hour)
+;                         1800       ; retry (30 min)
+;                         604800     ; expire (1 week)
+;                         300        ; minimum TTL (5 min)
+;                       )
+; @           IN  NS    ns1.<DOMAIN>.
+; @           IN  NS    ns2.<DOMAIN>.
+
+; =============================================================================
+; X.509 CERTIFICATES (CERT PKIX - RFC 4398)
+; =============================================================================
+;
+; Type: PKIX (1) = X.509 certificate in DER format, Base64 encoded
+; Key Tag: 0 (unused)
+; Algorithm: 0 (determined by certificate content)
+
+; Root CA Certificate (Ed448)
+; Usage: Trust anchor, published for transparency
+_ca._cert            IN  CERT  PKIX 0 0 (
+    ; === INSERT BASE64-ENCODED ROOT CA CERTIFICATE (DER) ===
+    ; Generate with: openssl x509 -in ca-ed448.crt -outform DER | base64 -w0
+    PLACEHOLDER_ROOT_CA_CERTIFICATE
+)
+
+; Intermediate CA Certificate (Ed448)
+; Usage: Chain validation
+_intermediate._cert  IN  CERT  PKIX 0 0 (
+    ; === INSERT BASE64-ENCODED INTERMEDIATE CA CERTIFICATE (DER) ===
+    PLACEHOLDER_INTERMEDIATE_CA_CERTIFICATE
+)
+
+; Server Certificate (Ed25519)
+; Usage: TLS authentication
+_server._cert        IN  CERT  PKIX 0 0 (
+    ; === INSERT BASE64-ENCODED SERVER CERTIFICATE (DER) ===
+    PLACEHOLDER_SERVER_CERTIFICATE
+)
+
+; =============================================================================
+; OPENPGP KEYS (CERT PGP - RFC 4398)
+; =============================================================================
+;
+; Type: PGP (3) = OpenPGP public key packet
+; Key Tag: 0 (unused)
+; Algorithm: 0 (determined by key content)
+
+; Primary identity key
+_pgp                 IN  CERT  PGP 0 0 (
+    ; === INSERT BASE64-ENCODED PGP PUBLIC KEY ===
+    ; Generate with: gpg --export user@domain | base64 -w0
+    PLACEHOLDER_PGP_PUBLIC_KEY
+)
+
+; Per-user pattern (optional)
+; user._pgpkey        IN  CERT  PGP 0 0 ( ... )
+
+; =============================================================================
+; KEY EXCHANGE (IPSECKEY - RFC 4025)
+; =============================================================================
+;
+; Format: precedence gateway-type algorithm gateway public-key
+;
+; Precedence: 10 (priority, lower = higher)
+; Gateway Type: 0 = no gateway
+; Algorithm: 2 = DSA (placeholder; actual algorithm is X25519)
+; Gateway: . (null)
+; Public Key: Base64-encoded raw 32-byte X25519 public key
+
+; X25519 for TLS 1.3 / VPN key agreement
+_ipsec               IN  IPSECKEY  10 0 2 . (
+    ; === INSERT BASE64-ENCODED X25519 PUBLIC KEY (32 bytes) ===
+    ; Generate with: openssl pkey -in x25519.key -pubout -outform DER | tail -c32 | base64
+    PLACEHOLDER_X25519_PUBLIC_KEY
+)
+
+; =============================================================================
+; DANE/TLSA (RFC 6698)
+; =============================================================================
+;
+; Format: usage selector matching-type certificate-data
+;
+; Usage: 3 = DANE-EE (end entity, no CA validation)
+; Selector: 1 = Subject Public Key Info (SPKI)
+; Matching Type: 1 = SHA-256 hash
+;
+; Naming: _port._proto.hostname
+
+; HTTPS (port 443)
+_443._tcp            IN  TLSA  3 1 1 (
+    ; === INSERT SHA-256 HASH OF CERTIFICATE SPKI ===
+    ; Generate with:
+    ; openssl x509 -in server.crt -noout -pubkey | \
+    ;   openssl pkey -pubin -outform DER | sha256sum | cut -d' ' -f1
+    PLACEHOLDER_TLSA_HASH
+)
+
+; SMTP (port 25) - for mail servers
+; _25._tcp.mail       IN  TLSA  3 1 1 ( HASH )
+
+; SMTPS (port 465)
+; _465._tcp.mail      IN  TLSA  3 1 1 ( HASH )
+
+; IMAPS (port 993)
+; _993._tcp.mail      IN  TLSA  3 1 1 ( HASH )
+
+; =============================================================================
+; CERTIFICATE AUTHORITY AUTHORIZATION (CAA - RFC 8659)
+; =============================================================================
+;
+; Restricts which CAs can issue certificates for this domain
+
+; Allow Let's Encrypt only
+@                    IN  CAA  0 issue "letsencrypt.org"
+
+; Disallow wildcard certificates from any CA
+@                    IN  CAA  0 issuewild ";"
+
+; Report violations
+@                    IN  CAA  0 iodef "mailto:security@<DOMAIN>"
+
+; =============================================================================
+; MTA-STS / SMTP SECURITY (RFC 8461)
+; =============================================================================
+
+; MTA-STS policy location
+_mta-sts             IN  TXT   "v=STSv1; id=20241228"
+
+; SMTP TLS reporting
+_smtp._tls           IN  TXT   "v=TLSRPTv1; rua=mailto:tls-reports@<DOMAIN>"
+
+; =============================================================================
+; DKIM (RFC 6376)
+; =============================================================================
+;
+; DKIM with Ed25519 (RFC 8463)
+
+; selector._domainkey   IN  TXT  "v=DKIM1; k=ed25519; p=BASE64_PUBLIC_KEY"
+
+; =============================================================================
+; DMARC (RFC 7489)
+; =============================================================================
+
+_dmarc               IN  TXT   "v=DMARC1; p=reject; rua=mailto:dmarc@<DOMAIN>"
+
+; =============================================================================
+; DNSSEC NOTES
+; =============================================================================
+;
+; DNSSEC records (DNSKEY, DS, RRSIG, NSEC/NSEC3) are managed by your DNS
+; provider or signing infrastructure. They are not included in this template.
+;
+; Recommended algorithms:
+;   - Algorithm 15: Ed25519 (preferred)
+;   - Algorithm 13: ECDSA P-256 (fallback)
+;
+; DO NOT use:
+;   - Algorithm 5: RSA/SHA-1 (deprecated)
+;   - Algorithm 7: RSA/SHA-1 NSEC3 (deprecated)