“It has already happened, it is happening now and if we do not change it it will happen in the future”

Dutch cybersecurity scientist Volkan Kaya stated that the x.509 standard PKI which determines the format of digital certificates is weak. With years of experiences working in the banking industry and graduated from Cyber Security Academy, he can easily shut down the entire Internet. In The Netherlands, the vulnerability of the Internet had also shown by the DigiNotar attack.

 

Certification protocols should be exist based on the ‘truth’ instead of ‘trust’. 

X.509 issue digital certificates through e-mail. The e-mail message protocol (smtp) is not a secure protocol and can be intercepted by attackers.

The x.509 issues multiple certificates by using different key pairs at the same time for a specific domain name. Kaya: “The flexibility of having multiple valid certificates for the same host computer at the same time makes it possible to issue false valid certificates without knowledge of the host computer itself.”

 

Kaya came up with new PKI certificate so-called ConsensusPKI. 

The certificates authorities in ConsensusPKI are collectively responsible for the identity of the normal computers and also the identity of all certificate authorities. Only the most recently issued certificate is a valid certificate. The certificate issuance process requires authentication of the CVRs by multiple CAs. All verifications performed during the certificate issuance must be broadcast to other CAs so that the verified CVRs can be saved to the related certificate blockchain. They can in turn issue a verified certificate.

For the interpretation of the certificates, CAs have to interrogate their database by client systems. The CAs must retain all blocking data that represent all certificates in the ecosystem that are stored in the CA infrastructure. The CAs must protect the blocking data that they store so that they can respond fairly to the incoming questions.

Finally, the certificates in the ConsensusPKI do not carry signatures of the issuing CAs. ConsensusPKI requires CAs to be honest during the use and issuance of certificates. The PKQuery and fetch processes of the ConsensusPKI ensure that the core of ConsensusPKI is maintained.