LightLedger: A Novel Blockchain-Based Domain Certificate Authentication and Validation Scheme

Nowadays, existing public key infrastructures (PKIs) certificate authentication suffers from many security failures. Trusted certificate authorities (CAs) can issue a valid certificate for any domain name. Although CA is supposed to be trusted by a client if the certificate issued to the client links to the chain of trust (e.g., root CA or subordinate CA). By compromising any of the latter (e.g., root CAs or subordinate CAs) an attacker can jeopardize the security of the entire system. Moreover, third-party CAs have to be trusted by domain owners. Currently, the trust is not balanced among the entities involved in the certificate authentication and issuance process (i.e., CAs and domain owners). To counter this problem approaches such as Domain authentication name entity (DANE) and Certificate Authority Authorization (CAA) offer additional securities for domain authentication. However, these approaches depend upon DNS/DNSSEC infrastructure which requires complex requirements for deployment as well as the adoption rate has been low. In this paper, we design, implement a robust and scalable domain authentication scheme based on blockchain technology with privacy-preserving features for low-constrained devices (e.g., mobile, browser, and IoT devices). The proposed system records a set of trusted CAs each associated with a specific domain in the blockchain. That is, each CA has to first verify if it is trusted to perform the actual issuance process. We compare our scheme with existing authentication methods and show that it requires less storage capacity and low bandwidth to authenticate certificates than other methods.