As CTO at Certified Security Solutions, I’ve been asked the question more and more lately, “how will Blockchain impact PKI?”
There’s so much mysticism around Blockchain technology today that it can become difficult to separate the reality from the hype, and the logical conclusions from wild speculation. Nonetheless, digital certificates, and other identity-related technologies such as Public Key Infrastructure (PKI), Federation and OAuth are a core component of many systems today, so it’s logical to examine how a disruptive technology such as Blockchain will affect these technologies.
While the final outcome remains to be seen, I believe that Blockchain is likely to become a technology that largely benefits from PKI and other identity technologies, rather than replacing them.
To dig deeper, it’s important to remember that Blockchain is, at its core, a mechanism that allows multiple disparate parties to share a common, immutable ledger. In the Bitcoin blockchain, the ledger contains transactions involving the exchange of currency, but in the more general case the contents of the ledger can be almost anything. Incidentally, it’s important to note that In order for this ledger to be truly immutable, blockchains require certain aspects that are quite unique.
So what might blockchain transactions look like in the future? In most cases, a transaction can be represented as a sentence, with nouns and verbs. Let’s consider some examples:
- Mike Williams gave 3 Bitcoin to John Smith.
- Sheila Cross licensed the permission to download “Swan Lake”
- XYZ Corporation manufactured a widget with serial number 723736251
- Widget with serial number 723736251 was sold to Foo Industries
- John Smith has granted permission for Universal Healthcare to share his medical records with ABC Insurance
Blockchain technology enables disparate parties to maintain immutable records of transactions such as these. However, such transactions often require high-assurance identities associated with the participants in the transaction. In other words, how do we know that the entity performing the transaction really is Mike Williams, or Sheila Cross, or XYZ Corporation? And perhaps more importantly, who says so?
Of course, there are decentralized means of establishing identity. PGP, for example, includes a “web of trust” capability that allows multiple parties to weigh in on the identities of participants within the “web.” In practice, however, this capability has not garnered the critical mass needed to prosper.
In many cases, and perhaps even in the majority of cases, trust in these participants must be established by mutually trusted third parties. And, as it turns out, PKI and digital certificates, and their ability to leverage trusted third parties to bind identities to a cryptographic key, do this very well. Therefore it seems likely that blockchains and digital certificates will frequently be used together, with certificates establishing the trustworthiness of the nouns involved in a transactional statement, and blockchain recording the verbs and transactional relationships between the nouns.