GitLab

Namecoin can provide DANE-style functionality for TLS certificate validation. This would enable validating trust of TLS certificates for onion services that have a Namecoin domain (relevant for Whonix-style trust models) without relying on public CA's, and would also make it harder for MITM attacks against exit traffic to be performed (if Namecoin support for exit traffic were added to Tor Browser).

Firefox does not natively support DANE, but we (the Namecoin devs) have identified a way to get DANE-like functionality in Firefox with no code patches to Firefox (we're using the PKCS11 "FindObjects" API to achieve this). Some small code patches to Firefox would make the code cleaner, but this wouldn't be required.

I assume this is a lower priority than the existing Namecoin support for onion services that's currently in Tor Browser Nightly, but Matt asked me to file a ticket for it anyway since it came up in one of the Tor Browser IRC meetings.

(As a side note, Namecoin's approach for getting DANE-like functionality in Firefox would probably be equally workable for the .onion TLD, so this might also allow things like putting a TLSA record in an onion service descriptor, without relying on Namecoin itself at all.)