Quote History Quoted:
How can I bootstrap an initial handshake, without the endpoint being hardcoded into the program? (Am I honing closer to the answer each time or getting further away?)
View Quote
this is very straightforward to do, as long as both endpoints have visibility to the public internet and commonly used webscale features.
if that is the case, the means to do so are already in place and free to use for this purpose.
read:
https://en.wikipedia.org/wiki/Distributed_hash_table
https://en.wikipedia.org/wiki/Distributed_hash_table#Examples
https://en.wikipedia.org/wiki/Rendezvous_protocol
https://en.wikipedia.org/wiki/I2P
https://en.wikipedia.org/wiki/Freenet
etc
ETA
ps
even simpler, i just thought up a way to do StO (which you can evolve into CHAP) using DNS wildcards and (for example) apache virtual hosts.
example: via your SOA or your registrar, *.yourdomain.com points to a given IP, 1.2.3.4, which you control.
from anywhere on the internet, surf to www.yourdomain.com; you get a page of recipes.
from anywhere on the internet, surf to 0x123456.yourdomain.com; you get a page of recipes.
from anywhere on the internet, surf to whoareyou.yourdomain.com; you get a page of recipes
but
from anywhere on the internet, surf to seemingly_random_number.yourdomain.com; you get a page of interesting info, such as the current distributed hash table.
the seemingly random number is not actually random; it is a hash value made from several disparate pieces of info.
these info might be indexed from a one time pad, such as
https://www.amazon.com/Million-Random-Digits-Normal-Deviates/dp/0833030477 appended to a varying value and then augmented with something of general knowledge but nevertheless unpredictable (the whole part of the DOW closing value on the prior day, for example).
so we know on a saturday (day6) in december (month12) we use a given page/row/column in the pad to find a random number, the seconds since the unix epoch is appended to that, and then the prior day DOW closing value is appended to that, and then the SHA256 hash of that is taken.
this hash is only useful for the next second* to retrieve the page of interesting info at ${hash}.yourdomain.com
(*) the server can build a 2 or 3 second moat in both directions (timewise) with absolutely no practical reduction in overall security since the keyspace is so large.
ar-jedi