Hardening X.509 Certificate Issuance using Distributed Ledger Technology
This addresses security vulnerabilities in cryptographic communication protocols for users and organizations relying on X.509 certificates, representing an incremental improvement by applying distributed ledger technology to an existing process.
The paper tackles the problem of ensuring correct X.509 certificate issuance by proposing a system that enforces a policy-defined, multi-party validation and authorization workflow for certificate signing requests, achieving full accountability for forensic purposes.
The security of cryptographic communication protocols that use X.509 certificates depends on the correctness of those certificates. This paper proposes a system that helps to ensure the correct operation of an X.509 certification authority and its registration authorities. We achieve this goal by enforcing a policy-defined, multi-party validation and authorization workflow of certificate signing requests. Besides, our system offers full accountability for this workflow for forensic purposes. As a foundation for our implementation, we leverage the distributed ledger and smart contract framework Hyperledger Fabric. Our implementation inherits the strong tamper-resistance of Fabric which strengthens the integrity of the computer processes that enforce the validation and authorization of the certificate signing request, and of the metadata collected during certificate issuance.