A New Mechanism To Revoke Certificates with Tamper-Proof Records
In a recently published academic conference paper, entitled A Scalable Bitcoin-Based Public Key Certificate Management System, nChain Researcher Dr Chloe Tartan, nChain Chief Scientist Dr Craig S Wright, and fellow researchers Dr Michaella Pettit and Dr Wei Zhang explored utilising Bitcoin (SV) as part of a public key infrastructure and certificate management system, along with its potential advantages over traditional systems.
The Story So Far: Balancing Security and Performance
Existing public key certificate management systems, including the Online Certificate Status Protocol (OCSP) and Google’s Certificate Transparency, have long been suffering from one or more of the following:
- data silos;
- a lack of tamper-proof historical records; or
- an inability to effectively revoke respective certificates.
In an effort to address such challenges, modern attempts to incorporate and take advantage of new technologies and systems such as the blockchain have often come at the cost of impairing performance and the scale at which such systems can be deployed and used. Specifically, the rate of transactions and the associated fees have yet to reach a level that meets commercial requirements.
The Solution: Immutable Records and Revocation by Spending
By building on top of a well-established blockchain protocol and network, that demonstrates the feasibility of processing several thousand transactions per second, at an average cost of US$0.005, the solution proposed by the authors allows certificate authorities (CAs) and clients to address existing challenges through the following mechanisms:
- Immutability: by nature of a write once read many (WORM) system, records are updated merely by appending new transactions or data, resulting in a tamper-proof and transparent history of certificates and control of ownership—even when the certified keys are compromised.
- Revocation: with the ability to update and query the status of certificates in near real-time, revocation rights can be assigned to both CAs and certificate holders, or any other delegates, widening the ability to control such rights and their validity in a flexible manner. When combined with ‘timelocked’ transactions, certificates can expire in an automated manner.
- Atomic verification: the verification of a certificate can be linked to the spending of a transaction, equating the validity of the certificate to the validity of the transaction and allowing the seamless association between certificate verification and payment.
Extensions by nChain
The proposed solution takes advantage of two key enabling tools developed by nChain: the Miner ID and Merchant API (mAPI) reference implementations. Miner ID, holding node operators accountable, enables network nodes (miners) to build their reputation and be trusted more easily among network clients. mAPI allows a secure communication channel between a network node and relevant parties for exchange queries and responses. The result is a system that is flexible, readily accessible, and inexpensive to use and maintain.
While the proposed certificate management system could more immediately cater for online use cases such as website certificates, it could more generally be applied to organisations and enterprises where public key infrastructure or identity management is required.
nChain provides direct and ready access to the benefits of blockchain technology through its recently launched Kensei platform. With an initial focus on functionality related to audit and accountability, Kensei allows government and enterprise clients to verify the data they rely upon and make unauthorised editing of data easily detectable. Taking advantage of the latest research inventions demanded by organisations, more functionalities are expected to be rolled out by the end of 2021.