Blockchain as Root-CA for human-readable .onion domains
The .onion domain has been officially approved as a special domain by the IETF. :)
Onion domains are decentralized and secure inside the TOR network, but not human-meaningful. Human brains have problems to remind and assign them to services. This problem is called Zooko's triangle. (https://en.wikipedia.org/wiki/Zooko's_triangle) The scandals in the last three years with certificate authorities issuing not-validated certificates and intermediate-certificates or being hacked have shown certificate authorities are not reliable which breaks security of SSL/TLS.
The Namecoin project project has proven it's possible to solve Zooko's triangle using a blockchain as distributed database to assign globally-unique self-registered IDs of any format to an asymmetric key-pair of a blockchain wallet. (https://wiki.namecoin.org/index.php?title=Identity)
So I suggest to use a blockchain as Root-CA.
How it can work:
Registering name/creating certificates:
- User uses the TOR-client to create and save (e.g. paper-wallet) an asymmetric wallet key-pair.
- User uses the TOR-client to send a registration request for the tuple : to the blockchain network
- The nodes in the blockchain-network confirm the registration request
- User uses the TOR-client to create X.509 server-certificates with the Common Name '.onion' signed with the of the blockchain wallet
- TOR client uses the triple :: from the X.509-certificate to register a hidden-service
The TOR-client can use an overlay-filesystem to present the tuple : from the blockchain as X.509-root-certificate files in the SSL root-certificate-directory of the operating system (e.g. /etc/ssl/certs on Linux).
Authentication applications (e.g. TLS/SSL) find the virtual X.509 root-certficates in the filesystem like any other x.509-certificate.