[Cryptography] A PKI without CRLs or OCSP

Francisco Corella fcorella at pomcor.com
Wed Oct 26 19:24:47 EDT 2016 

Jerry,

> How does using a blockchain differ from having a PKI broadcast its
> entire set of signed public certificates?  Or, equivalently for
> reasonable efficiency, every delta to its set?  (With a serial number,
> of course - and the entire delta signed by the CA - so that receivers
> could detect modifications or missed deltas.)
> 
> A blockchain supports agreed-to modifications by anyone (to simplify
> the semantics). But a PKI has just one sender, broadcasting to many
> receivers.  You don't need a blockchain for that, just signatures.

By PKI we mean a public key infrastructure consisting of a hierarchy
of CAs.  It wouldn't be practical for the CAs in the hierarchy, nor
for a single CA, to broadcast certificates.  On the other hand it's
trivial for a CA to write a certificate hash to a store in its local
copy of the blockchain, and for a verifier to check whether the hash
is in the store, in its own local copy of the blockchain.  This
requires no network access by issuer or verifier besides the
communications on the peer-to-peer network that are used to keep the
local copies up to date.  Also, certificates are unsigned, which saves
the work of siging the certificate for the issuer, and the work of
verifying the signature for the verifier.

> A CRL blockchain - on which anyone could mark their own certificate as
> canceled - might make more sense, but even here it's the wrong
> semantics.  If I believe my certificate should be invalidated
> ... that's *my* call and my call alone.  The last thing I want to have
> to do is get a whole bunch of others on the blockchain to agree with
> me that it should be invalidated - it's *my* call, not theirs.  My
> signature alone on the invalidation is sufficient proof that I sent
> the invalidation and it should be honored.  I want some form of
> reliable broadcast to ensure that my invalidation has reached all the
> relevant parties, but that's a much weaker (and cheaper to produce)
> primitive than a blockchain.

We are not considering certificate revocation by the subjecct.  The CA
revokes a certificate by writing a hash of the unsigned certificate to
a store of revoked certificates in its local copy of the blockchain,
and the verifier checks for revocation by looking up the hash in the
store within its own local copy.

Francisco

More information about the cryptography mailing list