PKI is perfect, isn't it?
The PKIX Working Group was of the digital certificates standards, among them X.509, that enable various applications such as secure email, web security (SSL/TLS), and digital signatures. It officially concluded its operations... more than ten years ago (31 October 2013) .. Coincidentally, more or less at the same time Bitcoin was created.
The closure can only mean that PKI is perfect (many beg to disagree), or that the companies that sponsor work in PKI have zero interest in evolving the technology as their interests are well served with the current one.
PKI, despite years of development and refinement still has challenges of around certificate management, trust hierarchies, and the susceptibility of certificate authorities to breaches and mismanagement.
In order to manage some of the flaws in PKI, the main players created a system called Certificate Transparency (CT), a framework and set of standards aimed at tackling the vulnerabilities in the lifecycle of digital certificates used in public key infrastructures (PKI). CT provides a layer of security by enabling the detection of misissued or malicious certificates through publicly auditable logs. The core components of Certificate Transparency are:
Public Logs: These are append-only logs where certificates are recorded. Each log entry is cryptographically secured to prevent tampering. Logs are operated by various organizations and are designed to be publicly accessible and verifiable.
Monitors: Entities that observe and verify the entries in CT logs. Monitors can detect suspicious certificates and alert domain owners if an unauthorized certificate is issued for their domain.
Auditors: These are entities that check the consistency and integrity of CT logs. Auditors ensure that logs are functioning correctly and have not been tampered with.
Merkle Trees: A data structure used by CT logs to provide a cryptographic guarantee of the log's integrity. Merkle trees allow efficient and secure verification of individual log entries.
CT has several flaws, among them:
The reliance on a limited number of public logs. If a log operator is compromised or goes offline, it could disrupt the CT ecosystem.
Implementing and maintaining CT requires additional effort and resources from certificate authorities, website operators, and auditors. This complexity can be a barrier, particularly for smaller organizations with limited technical capabilities.
As the number of certificates grows, the size and management of CT logs can become challenging. The logs must handle large volumes of data efficiently while maintaining performance and integrity.
CT alone does not solve all issues related to PKI and digital certificates. While it adds a layer of transparency and detection, it does not prevent misissuance or replace the need for robust security practices.
So we are using a blockchain to mitigate the risks that arise form a system that was designed in the late 80s early 90s, with the requirement of being able to operate off-line.
Why not evolve the technology and use self-issued blockchain based digitally signed tokens, and cut the middleman?
Top comments (0)