Author: Joshua Oliver / Source: CoinDesk
The current system relies on a global network of certificate authorities (CAs) to verify the public key and the owner of each secure website. It has long been criticized for creating central points of failure. And those central points, the CAs, have actually failed in some cases.
Some think blockchains – the technology that manages key exchange for the $25bn bitcoin network – could be the basis for a secure alternative.
The initial idea
Like blockchains, CAs began as a way to facilitate connected commerce. Veteran developer Christopher Allen – who helped set up the first certificate authority, VeriSign – said he imagined a system with several CAs where users would pick which ones to trust.
As the system has scaled, however, it’s become impractical for everyday users to actively manage their trust in different authorities. Most now rely on their browser’s default settings instead. It’s now the browser companies that effectively control trust, giving them huge clout within the certificate industry.
“We’ve got a new centrality, which is the big browser companies,” said Allen.
While control over trust has centralized, the number of certificate authorities has grown. There now hundreds of authorities in countries around the world, and a failure at any one of them undermines the whole system.
The worst incident to date was the collapse of the Dutch authority DigiNotar in 2011. Hacking DigiNotar allowed attackers to spy on around 300,000 Iranian Gmail accounts, and forced a temporary shut down of many of the Dutch government’s online services.
Since then, there have been dozens of cases where CAs were caught issuing unverified certificates, using substandard security, or even trying to deceive browser companies. None of these had the same effects as DigiNotar, and the industry has raised security standards many times since 2011, but there are still those who think it’s time to look for a long-term alternative to CAs.
One of those alternatives was outlined in a 2015 white paper, written at a workshop Allen hosted called “Rebooting Web of Trust”. The paper set out goals for a decentralized public key infrastructure (dpki) to replace the current, centralized system.
“The goal of dpki is to ensure that … no single third-party can compromise the integrity and security of the system as as whole.”
In place of the current system, where domain ownership is recorded in the DNS and key are verified by CAs, Rebooting Web of Trust envisioned a secure namespace where domain registration…
Click here to read more