Digital certificates issued and recorded on the blockchain can replace the internet’s existing public-key security structure and secure identities and real-life interactions. nChain Chief Science Officer Dr. Owen Vaughan spoke to CoinGeek about a tool his company has developed to issue and verify these credentials, saying they could one day “form the bases of connectivity, interaction and exchange in Web3.”
“It is our goal at nChain to increase the security and privacy of this powerful technology,” he said.
Dr. Vaughan spoke on the topic at a recent presentation to the Philippines Securities and Exchange Commission (SEC) and published a short article as part of a series on Web3 technologies nChain has developed. As a demonstration, nChain used its tool to issue a “certificate of appreciation” to Dr. Vaughan for the Philippines event. The certificate is verifiable as valid (or not) by a BSV blockchain transaction, with a reference number and timestamp.
Everyone relies on digital certificates
Almost everyone in the world uses digital certificates—whether they’re aware of it or not. They’re used to verify most websites; most browsers these days will warn you if a site doesn’t have one. They facilitate e-commerce by encrypting communications between users, e.g., online payments, banking, and shopping. They also verify that software downloads and updates, from basic PC apps to those managing critical systems, came from their official developers and not from a hacker launching a “man-in-the-middle attack” by sitting in between servers and end users.
These certificates, issued by trusted “certificate authorities,” are an example of technology gaining widespread but invisible use as “plumbing.” They’re essential for privacy and security, yet most ordinary users remain oblivious to whether they’re using them or exist at all.
Currently, a certificate authority (CA) uses cryptographic public key infrastructure (PKI) to issue a digital certificate and bind its public key to its user’s identity.
Problems arise from the fact that CAs are centralized and often non-transparent in their operations. What happens if a CA’s own security is breached and a certificate needs to be revoked? (This has happened in the past; more of that later). In recent years, new logging processes have been implemented to improve response times and shed more light on CA internal procedures, but these are still cumbersome compared to what a blockchain-based system could achieve.
Issuers (CAs) may revoke certificates on security grounds or for more mundane reasons, such as a certificate no longer being needed. In order to verify if a digital certificate is currently valid or not, it’s necessary to ask the issuer, which Dr. Vaughan said introduces a technical overhead and loss of privacy.
“(nChain’s) tool does not involve cryptographic signatures, and so we avoid the complexity of organizations becoming official certificate authorities in a PKI,” Dr. Vaughan said. “Nevertheless, certificate issuance and revocation is recorded on the blockchain, providing an enhanced level of integrity.”
He added that the underlying technology can be made cryptographically secure if an organization is prepared to become a certificate authority.
“We believe these hierarchies of trust will be even more important in Web3. We do not envisage a ‘trustless’ environment. Rather, our tool can be used to enhance the trust we have in organizations and increase privacy. For example, we no longer need to rely on managing certificate revocations lists managed by multiple root CAs.”
nChain’s tool uses blockchain transactions to issue and revoke certificates. This means checking their validity is as simple as verifying whether a transaction exists or not. Like other blockchain records, the certificate data itself is not on-chain, just a plaintext string that verifies whether the certificate is valid. This offers big advantages in privacy—issuers and users may not want certificate details or reasons to be public. Those verifying certificates might not want the issuer or the subject to know they’re checking.
It’s trust in the blockchain itself as a “universal source of truth” that makes these certificate records secure. It also makes them more versatile: certificates can be used not only in online interactions, but to verify facts in real-life. We’ll talk about those shortly, but first, let’s look at what happens to today’s certificates and CAs when things go wrong.
The notorious DigiNotar
Anyone who’s followed Dr. Craig S. Wright’s work is familiar with the name DigiNotar, as he mentions it frequently. DigiNotar was a Dutch certificate authority that went out of business after suffering a breach in 2011. The exploit enabled unknown third parties to issue certificates in the names of DigiNotar’s clients, which included big names like Mozilla, Google (NASDAQ: GOOGL), Yahoo!, WordPress, The Tor Project, and the Dutch Government.
Earlier the same year, Comodo Security Solutions, Inc. (now known as Xcitium) reported that a user account at one of its affiliate registration authorities had suffered a breach, leading to nine fraudulent certificates on seven web domains.
“Iranian hackers” were fingered for the DigiNotar and Comodo exploits (although, as with many other hacks, it could also have been someone deliberately causing them to appear responsible). The main point here, however, is the response to the incidents rather than who was responsible. Once the exploits had been discovered, it was up to the companies who make the software that verifies the certificates (i.e., web browsers) to send alerts and issue security updates, which users then had to install.
This all takes time, of course, and there are no guarantees every end-user would update their software before being affected. DigiNotar was also criticized for delaying its announcement about the fraudulent certificates and wasn’t able to guarantee it had revoked all compromised certificates. Mozilla and Microsoft (NASDAQ: MSFT) chose to revoke DigiNotar’s root certificate from their browsers to be safe, which revoked any certificate DigiNotar had issued in its 13 years of business. Naturally, this caused far more disruption to many people than it should have.
The lesson we should have learned from these incidents was, at minimum, that there should be faster and more automated ways to issue alerts and certificate revocations. Instantaneous alerts and responses would be even better. The ability to query blockchain nodes (which is possible even today) automatically and get instant answers on certificate validity, saves time and money for those involved in the process, and anyone else affected by it down the line.
Useful digital certificates online and in real-life
Allowing any organization to issue blockchain-based certificates (whether they’re an authorized CA or not) has wider implications, not just online. A fast, cheap, and scalable blockchain like BSV blockchain can support 9,000 certificate issuances, revocations, or updates per second. Anyone can query blockchain records to check current validity.
Issuers can revoke individual certificates with a single transaction. A compromised issuer doesn’t need to result in revocation of every certificate they’re ever issued since issuance records are timestamped. It can be determined whether a certificate was issued before a breach occurred or not, allowing unaffected certificates to remain valid.
This drastic reduction in cost and efficiency means a wider variety of organizations can issue/revoke digital certificates—including most companies and government departments, universities and colleges, or private clubs.
“The tool will allow any organization to issue certificates to their users,” Dr. Vaughan said. “This could be an academy awarding certificates of course completion, it could be an employer issuing a certificate of working status, or it could be a government department issuing a permit.”
For the example of an employee’s current status, a new potential employer could check whether their interviewee was telling the truth by verifying a certificate detailing their employment status without the candidate or their current employer knowing. It’s possible to verify membership of some exclusive organization, such as a club or political entity, without publicly revealing the organization or its members. As mentioned previously, universities could issue these certificates to create secure digital records of degrees and other qualifications, verifying that a person has earned the credentials they claim to have.
Just as today’s PKI-based CAs and digital certificates verify identities and trust on the internet, blockchain’s more efficient solution (using nChain’s tools or others like it) can broaden their usefulness beyond the online world. It does this the same way a truly scalable blockchain improves many other processes—by making them faster, cheaper, and more accessible to everyone.
Dr. Vaughan’s presentation is based on a research paper titled “A Scalable Bitcoin-based Public Key Certificate Management System” by Chloe Tartan, Craig Wright, Michaella Pettit, and Wei Zhang.
Watch: Bitcoin tech is all about unleashing potential for small people
New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.