Mustafa Al-Bassam
ABSTRACT
The Public Key Infrastructure (PKI) in use today on the Internet to secure communications has several drawbacks arising from its centralised and non-transparent design. In the past there has been instances of certificate authorities publishing rogue certificates for targeted attacks, and this has been difficult to immediately detect as certificate authorities are not transparent about the certificates they issue. Furthermore, the centralised selection of trusted certificate authorities by operating system and browser vendors means that it is not practical to untrust certificate authorities that have issued rogue certificates, as this would disrupt the TLS process for many other hosts.
SCPKI is an alternative PKI system based on a decentralised and transparent design using a web-of-trust model and a smart contract on the Ethereum blockchain, to make it easily possible for rogue certificates to be detected when they are published. The web-of-trust model is designed such that an entity or authority in the system can verify (or vouch for) fine-grained attributes of another entity's identity (such as company name or domain name), as an alternative to the centralised certificate authority identity verification model.
- A Next-Generation Smart Contract and Decentralized Application Platform. https://github.com/ethereum/wiki/wiki/White-Paper/784a271b596e7fe4e047a2a585b733d631fcf1d4.Google Scholar
- Ethereum Contract ABI. https://github.com/ethereum/wiki/wiki/Ethereum-Contract-ABI/e6077256597058bd257f75740955caa10624086d.Google Scholar
- Heather Adkins. 2011. Google Online Security Blog: An update on attempted man-in-the-middle attacks. https://googleonlinesecurity.blogspot.fr/2011/08/update-on-attempted-man-in-middle.html..Google Scholar
- Andreas M. Antonopoulos. 2014. Mastering Bitcoin: Unlocking Digital Crypto-currencies. O'Reilly Media Incorporated. Google ScholarDigital Library
- Tim Dierks and Eric Rescorla. 2008. RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2. https://tools.ietf.org/html/rfc5246.Google Scholar
- Simson Garfinkel. 1994. PGP: Pretty Good Privacy. O'Reilly & Associates. Google ScholarDigital Library
- R. Housley, W. Ford, W. Polk, and D. Solo. 1999. Internet X.509 Public Key Infrastructure Certificate and CRL Profile. https://www.ietf.org/rfc/rfc2459. Google ScholarDigital Library
- Satoshi Nakamoto. 2008. Bitcoin: A Peer-to-Peer Electronic Cash System. https://bitcoin.org/bitcoin.pdf.Google Scholar
- Harold F. Tipton. 2010. Official (ISC)2 Guide to the SSCP CBK, Second Edition (2nd ed.). Auerbach Publications, Boston, MA, USA. ISBNx1439804834, 9781439804834 Google ScholarDigital Library
- Gavin Wood. 2017. Ethereum: A Secure Decentralised Generalised Transaction Ledger (EIP-150 Revision). https://github.com/ethereum/yellowpaper/raw/2c6fba1400e321734ccec19cb5d9cb32a51ffc44/paper.pdf.Google Scholar
Index Terms
- SCPKI: A Smart Contract-based PKI and Identity System
Recommendations
Augmented certificate revocation lists
ACISP'06: Proceedings of the 11th Australasian conference on Information Security and PrivacyWe present a simple yet clever extension to the delta certificate revocation list(CRL) [1], the augmented certificate revocation list (ACRL). ACRLs contain revocation updates only and certificate verifiers construct complete CRLs locally. Locally ...
Generic Support for PKIX Certificate Management in CDSA
ACSAC '99: Proceedings of the 15th Annual Computer Security Applications ConferenceThe Common Data Security Architecture (CDSA) from the Open Group is a flexible standard that defines APIs for security services needed for implementing Public Key Infrastructure (PKI). The emerging IETF Public Key Infrastructure (PKIX) standards provide ...
Comments