I was wondering if Let’s Encrypt is exploring blockchain technology as an alternative to TSL/SSL to issue certificates.
Any thoughts?
Do you have more details of the objectives?
For information, Let’s Encrypt uses certificate transparency: http://www.certificate-transparency.org
2 Likes
CTs are definitely a great example of how “block chain”-like technology can be beneficial to the Web PKI.
I can only imagine the extreme DDoS of every web server getting hammered by thousands of verification nodes in the alternate reality where blockchain is used to issue certificates 
.
4 Likes
I would say the technology that we might want an alternative to for this purpose is the web PKI and/or DNS. In this context there are proposals like Namecoin, which provide a way for people to make claims on names, look up other people’s claims, and associate public keys with their claims. Unlike DNS, there’s no mechanism for a central authority to revoke or transfer a name registration.
Some of these mechanisms might be quite valuable, but what they most need is browser support, not certificate authority support. With a Namecoin-like mechanism, there’s no CA involved at all, at least not a publicly trusted and audited CA like Let’s Encrypt. (Some proposals might end up generating a certificate for protocol compatibility, but it wouldn’t be issued and verified the same way that the web PKI does it.)
Let’s Encrypt could also use a blockchain or another kind of ledger to publish information about the validation steps that led to the issuance of a certificate, but currently this information is much too voluminous (by several orders of magnitude) and may be privacy-sensitive. As @tdelmas and @_az pointed out, Certificate Transparency is historically inspired by blockchains and uses closely-related cryptographic technology, and is already used by Let’s Encrypt and other CAs to publish issuance events, which help ensure that Let’s Encrypt can’t be made to publish a publicly-trusted certificate whose existence is kept secret.
We’ve all recognized the problems and imperfections related to centralization in the current system (to me, the most important ones relate to the potential for censorship). At the same time, all of the existing mechanisms exist for specific historical reasons and trying to replace them with decentralized alternatives will likely entail humongous trade-offs¹. The “enforcers” of the overall system on behalf of end users are the browsers, and they’re also the ones with the power to accept or implement alternatives to it (whether by default or as browser extensions).
¹ For example, a censorship-resistant system like Namecoin, or a successor or variant of Namecoin, would have a higher prevalence of phishing (due to a lack of trademark enforcement mechanisms), irreversible domain hijacking due to hacking, and unpredictable costs to register names, which eventually might be far higher than existing domain registration fees due to the need to compensate miners for securing the system, among other trade-offs.
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.