Enhancing Security of Certificate Authorities by Blockchain-based Domain Transparency

Public Key Infrastructure (PKI) is the cornerstone technology to solve trust issues in cyberspace. However, PKI faces a serious problem of centralized trust in Certificate Authorities (CAs). Fraudulent certificates issued by CAs due to misoperation, being deceived, or being compromised, are used to launch attacks like Man-in-the-Middle (MitM), spoofing, etc. To enhance the security of CAs, we present a domain-centric system based on blockchain called Domain Transparency (DT). Domain owners are enabled to declare issuance policies that CAs should comply with in the DT system, so that all issued certificates are authorized by them. Furthermore, we design a Domain Configuration Transaction (DCT) to manage policies and certificates of domains. To resist CAs’ misbehaviors, domain owners are involved in the certificate issuance process to balance the absolute authority of CAs. We conduct extensive security analysis and implement a prototype of DT based on Hyperledger Fabric for performance evaluations. Experimental results reveal that DT is superior to competitor schemes in terms of functionality, storage and communication cost.