Author

Topic: Using Blockchain as a replacement for PKI (Read 2199 times)

member
Activity: 88
Merit: 12
June 17, 2015, 03:48:18 PM
#5
Is there any work done on using the blockchain for public key certification/authentication, the job CAs currently do?

Bitcoin has challenged banks, the central authorities of money;
why not do the same to CAs, the centralized authorities of the Internet.

Namecoin does something close but we need a general way to map any domain name/email address to a public key (even a bitcoin address).

Please point me to any work done in this regard.

You can store anything in the data that a .bit domain name refers to, it's usually JSON with the nameserver encoded within. No reason you couldn't add another JSON field for a public key.

I've thought before that it might be useful to tie a Certificate (like X509) to a particular output in a blockchain, owned by the certificate issuer. Then if you want to revoke the certificate, you just have to spend the output. i.e. the certificate is only valid if it's corresponding output is unspent.
member
Activity: 89
Merit: 13
My (yet to go public) futures trading startup uses bitcoin private/public keys to do authentication without a CA.

A CA is still needed for https; however no userids are needed or passwords to remember.

None of the ideas are new, I just put the best features of bitid/sqrl/bitauth into something that is automated from the users point of view

Other options to consider:

bitauth: Does not use bitcoin but uses ECDSA, signs every api call, so can be used like HMAC to protect API
Bitid: Uses bitid:// url scheme. Uses bitcoin addresses, Needs a supporting wallet
SQRL: Needs a trusted app, does not use bitcoin
Clef: Very nice, but you need to use their servers, essentially a trusted third party.

The best thing among the four was SQRL. I basically re-implemented SQRL to use bitcoin addresses/keys

legendary
Activity: 1135
Merit: 1166
You can look at Namecoin identities (id/ namespace) instead of domains - although, of course, that's still not a way to verify ownership of an email address or traditional domain name.  Since those are centrally controlled, I'm not sure if you can build a decentral system to verify them at all (except for solutions like CAcert).
legendary
Activity: 3430
Merit: 3080
DNSSEC is, I understand, part of the job completed already, but it suffers low roll-out atm. It's kind of new still, so maybe more might pick it up. Armory were working on using DNSSEC as a more robust alternative to BIP 70, hope that's still happening. I asked in the Armory sub (thread:https://bitcointalksearch.org/topic/secure-payment-address-by-verisign-and-armory-1024587) whether they would consider using a sidechain to store and transact the certs/names, but they didn't reply at the time.
legendary
Activity: 1001
Merit: 1005
Is there any work done on using the blockchain for public key certification/authentication, the job CAs currently do?

Bitcoin has challenged banks, the central authorities of money;
why not do the same to CAs, the centralized authorities of the Internet.

Namecoin does something close but we need a general way to map any domain name/email address to a public key (even a bitcoin address).

Please point me to any work done in this regard.
Jump to: