Every (public) node should have a Subdomain and a trusted TLS certificate, so that browser nodes can connect using /wss
(Secure WebSockets transport).
We will support manual certificate configuration, and ACME automation for user’s domain names, but these setups require some manual step/input from the user.
Here, we discuss a protocol for providing TLS cert for /wss
for all remaining nodes in a way that happens automatically, without user’s involvement.
To get a TLS cert, we need a DNS name that points at a node, so it is able to perform ACME challenges on its own behalf.
There are two ways we can point a DNS name to an IP address. For the purpose of this discussion, let’s assume that we have one PL-controlled “gatekeeper” node that has (programmatic) access to the DNS configuration of dweb.link
.
<subdomain>.dweb.link
127-0-0-1.libp2p-peer.dweb.link
)
*.<subdomain>.dweb.link
Getting TLS cert in automated fashion relies on ACME protocol, which supports different challenge types. Depending on which way we do the name resolution, we may decide to attempt autonomous HTTP-01 and fallback to DNS-01 facilitated by our gatekeeper.
Let’s Encrypt imposes pretty strict rate limits on the issuance of new certificates. The current limit is 50 certificates per domain per week, where each certificate can contain up to 100 subdomains (although this is not recommended, the certificate gets impractically big).
It seems like the rate limit does not apply for domains on the Public Suffix List (PSL), if I understand correctly, the limit would apply for subdomains.
We control the [dweb.link](<http://dweb.link>)
domain on the PSL, which means that rate limits would apply to <subdomain>.dweb.link
, not dweb.link
. That means we won't run into any rate limits, as long as we give nodes subdomains of the form <subdomain>.dweb.link
(and not, let's say, <subdomain>.node.dweb.link
).
This also means that we probably don’t need any involvement of LE.
<aside>
💡 Reusing [dweb.link](<http://dweb.link>)
(public gateway domain) here brings increased risk in both directions (dmca takedowns, censorship, antimalware software blocks etc).
As a compromise, it may be acceptable to use .dweb.link
for now, fill PSA request for adding something else like libp2p.direct
and switch to that domain over time, just to minimize risks.
</aside>