This repository holds two things that are kept in sync:
- The Internet-Draft
draft-steele-diem-architecture-demo— "An Architecture for DNS-Delivered Digital Emblems (Demonstration)", at the repository root. - A running demo (
demo/) — a small Next.js app that issues, verifies, marks, and unmarks DNS names with a CWT-based digital emblem delivered over DNS SVCB records.
The draft explores the IETF DIEM architecture and use cases; the demo is its executable companion.
Formatted text and HTML versions are built with make:
makeThis requires kramdown-rfc (Ruby) and xml2rfc (Python 3.10+); see the
i-d-template setup instructions.
On a machine where python3 cannot build a venv (e.g. a shimmed interpreter),
point the build at a real interpreter:
make PY=/opt/homebrew/bin/python3.13CI (.github/workflows/ghpages.yml) builds the editor's copy and publishes it
to the gh-pages branch on every push to main.
A single-page app with four operations over an Asset FQDN:
| Operation | What it does |
|---|---|
| Issue | Sign a CWT (RFC 8392) as a COSE_Sign1 (RFC 9052, ES256) with sub = the FQDN. |
| Mark | Publish the emblem as an SVCB record (RFC 9460) at emblem.<fqdn>, in a private-use SvcParamKey (key65280), binary-clean. |
| Verify | Discover the emblem (DNS-over-HTTPS SVCB query, or pasted), check the COSE signature, the validity window, and that sub == the queried FQDN. |
| Unmark | Remove the SVCB record. |
The emblem's raw COSE/CBOR bytes are carried directly in the SvcParam value; in
zone-file form binary is escaped byte-by-byte as \DDD (RFC 9460 §2.1).
cd demo
npm install
npm run devImport the repo and set the project Root Directory to demo. Optional
environment variables:
| Variable | Purpose |
|---|---|
EMBLEM_ISSUER_JWK |
Private P-256 JWK (JSON) for the issuer key. If unset, a committed insecure demo key is used so issue/verify stay consistent. |
EMBLEM_ISSUER_KID |
Key id for the issuer (default emblem-demo-1). |
CLOUDFLARE_API_TOKEN, CLOUDFLARE_ZONE_ID |
Enable Mark/Unmark to write real SVCB records. Without them, the app returns the record to publish manually. |
The demo performs real cryptography but ships an insecure, public issuer key by default. It is a demonstration, not a production service.
See the guidelines for contributions.
The draft is under the IETF Trust license (see LICENSE.md); prior demo code
was Apache-2.0 (see LICENSE).