Is it planned to specify how to verify TLS certificates/connections via a Blockstack id?

TLS is already in use everywhere but lacks a meaningful authentication of its keys (which Blockstack solves). It would be possible to extend currently deployed TLS on a website with a Blockstack id quite easily. Then one could surf as usual on the web, but without trusting the brokwn CA model.

Open questions would be: How to tie a website to its Blockstack id*. I guess something like specifying a Blockstack id in the robots.txt (which gets requested anyway) would be possible without creating overhead.

And: Is it neccesary to proof as website operator that I own both domain and id (i.e. with the .well-known directory)? Should it be optional or neccessary, or does it add meaningful security at all?

–
* not the other way round. Would be possible (with specifying the domain in the profile) but then it requires the user to use explicitly the id as domain. When having a technique fo resolving a given domain to its Blockstack id, this gets triggerend automatically when available.

This is something we’ve discussed.

It would be nice to define a convention where websites hosted on blockstack names are only accessible via TLS and the validity of the TLS is determined by a claim made stored in immutable data associated with the Blockstack name instead of signature of a trusted certificate authority.

Now that we’re moving away from our own browser, we have less of an opportunity to define and push a convention like this.

Great idea to start a discussion about this @vsund! All great question!