Root Causes 88: PKI and Blockchain

Episode Transcripts

Lightly edited for flow and brevity.

• 

  Tim Callan

  Once again, we have our favorite guest, Alan Grau. Alan is VP of IoT and Embedded Solutions here at Sectigo. How you doing today, Alan?

• 

  Alan Grau

  I'm doing great. Thanks, Tim.

• 

  Tim Callan

  So, we have recorded a series of podcast episodes over the previous few months on the topic of Blockchain and we started with some fundamentals, we built it up. We talked about cryptocurrency and we've sort of been leading to today's topic, which is Blockchain and PKI. How do they compare? How do they interact? Is one a surrogate for the other? What's going on with these two things? So, kind of a broad general question, but let me throw that out there and maybe you can give us some thoughts on that, Alan.

• 

  Alan Grau

  Sure. Tim, I'm happy to talk about that and it's a topic that, you know, working for a PKI company and being someone that is also interested in Blockchain and its applications, have had some time to dig into and look at this and at a high level, one of the things that I always come back to on this is, as Jason said not too long ago, is the right tool for the right job. And, you know, Blockchain, as we've been talking about covers a number of really, or solves a number of really important problems. It's a great solution when you need to have a storage solution that's immutable, that is publicly auditable, you know, that solves those problems and there's a strong role for that in the PKI world. If you look at what most or what all public Certificate Authorities are doing now with certificate transparency logs, you know, those are published using Merkle trees. That's information that could easily be published on a Blockchain and so that allows, you know, the publication of all the certificates that have been issued in the public world, you know, the public trust certificates and so that there's, you know, an ability - - if I've got a company and somebody tries to issue a certificate utilizing my domain, I can discover that and action can be taken about it. You know, there's an ability to ensure that things can be audited so that we know who is issued what certificates, have they been issued properly? All of those things. So, that's a piece that could easily get transitioned to a Blockchain. One of the, you know, on the other extreme, then there are people who are really excited about the technology, but maybe haven't had a chance to dig into it and understand all the nuances who've come out and said, well, you know, we'll just replace PKI with Blockchain and that'll solve all of our problems. When you really look at the ecosystem around PKI and particularly public certificate issuance, that gets to be a little bit sticky.

• 

  Tim Callan

  Yeah. I'm having trouble - and maybe I'm just not being imaginative enough – but I'm having trouble understanding how one implements a Blockchain-based surrogate for, let's say, an SSL certificate.

• 

  Alan Grau

  Right. So, one of the challenges there is if I wanted an SSL certificate for my website, I have to go out and buy that through a Certificate Authority and part of the process is they then validate who I am. And I suppose that there are some kind of low level domain level validation that's fairly straightforward and automated, but there's also the process of validating, you know, who I am, who the owner of it is or who the company is that's buying the certificate and some of that's a much more human interactive process. Right. So how do you verify the whole registration authority process of a CA. You know, so that piece really can't be easily, or, you know, in the foreseeable future, you know, just automated and put into smart contracts or dropped on a Blockchain.

• 

  Tim Callan

  Yeah, and one of the things there, Alan, that you're kind of touching on is when I think about Blockchain, Blockchain is distributed. When I think about a CA, CA is hierarchical, and those are fundamentally different architectures, if you will, and, so right there, that would mean that there were some things that PKI can do that would be really, really, really hard for Blockchain and vice versa.

• 

  Alan Grau

  Yeah. No. I think that, that's quite true. And as we look at, you know, the Certificate Authority piece, right, I mean, even to start with the name, there's an authority, right? There's someone who is giving their stamp of approval saying that the certificate should be issued and I stand behind this certificate. So, if you're going to replace that with PKI or with a Blockchain-based solution, well, in Blockchain, you know, there's a number of things that happen by consensus. And so, you know, there's this, you know, the processes are just very different. Um, you know, in the end, again, Blockchain works great when you can come to a consensus that we're going to record all these transactions. You could come to a consensus that you're gonna, that these certificates have all been approved but there still has to be, you know, kind of some central authority that is driving the process, that’s, you know, standing behind it. And then, you know, one of the other subtleties that isn't covered in PKI, or that's critical to PKI that Blockchain isn't able to address, is, you know, the root certificate, the person who's signing the entity, that's signing certificates, they have a private key that has to be protected against, you know, the highest possible levels of cyberattacks, against physical attacks. Right? They’re, you know, the data centers where the private route key for public trusts are stored are, you know, are protected on multiple levels, you know, in a hardware HSM where the private key is stored. You know, for the high-level roots, those are offline where even if you could gain access, you still can't, you know, can't get access to that key. You know, in Blockchain, you don't have that analogy. You don't have that same capability. So again, Blockchain could play a central role in, you know, storing certificate logs in, you know, providing public key or public certificate, um, distribution points. If you want to look at, you know, how you do certificate revocation, if you want to, whenever it gets revoked, if that goes on a Blockchain that's publicly available. Right? Those are all great use cases for Blockchain within the world of PKI, in the world of a Certificate Authority, but there's other pieces that aren't addressed.

• 

  Tim Callan

  You're handing out, I think a real important point, Alan, which is that Blockchain and PKI are both fundamental building block kind of technologies and I often say to people it's like nails, right? You'd say, well, how do you use nails? Well, you can use nails lots and lots of ways. Same for Blockchain. Same for PKI. And, and in reality, what we have is we have ecosystems. We have use cases. We have more complicated systems that depend on these technologies, but are greater than these technologies. So, for instance, if you think about a cryptocurrency, a cryptocurrency, isn't a Blockchain. A cryptocurrency is an ecosystem that is enabled by Blockchain. And ditto, a public CA isn't PKI. A public CA is an ecosystem that is enabled by PKI. And so, in reality, what we probably will have is a lot of examples of ecosystems that use both in conjunction. Where each is doing the thing that it's best at.

• 

  Alan Grau

  Yeah. No, I absolutely think that that's not only what should happen, but what will happen over time.

• 

  Tim Callan

  Yeah. Yeah. And to some degree does happen already. Right? Cyptocurrencies depend on PKI, right? You can't, you wouldn't, you wouldn't be able to trade Bitcoin if PKI didn't exist.

• 

  Alan Grau

  I mean a Bitcoin wallet, right, is essentially a public key and a private key and you know, one of the things we've seen, you know, headlines on is, you know, somebody had their private key for their Bitcoin wallet on a hard drive or a USB drive and they threw it away. So, you know, now all of a sudden, I mean, there's one famous story of somebody that had $138 million worth of Bitcoin or something like that.

• 

  Tim Callan

  Some cryptocurrency. Yeah.

• 

  Alan Grau

  Now he’s at the landfill trying to find his PC.

• 

  Jason Soroko

  But guys, let's be careful, right, because when we say PKI, really what we're saying is synonymous with the concept of a Certificate Authority, which is diametrically opposed to something that is distributed, right? This is the theme of what we've been talking about. And so, therefore, you wouldn't call cryptocurrency PKI-based because of the fact that it is a distributed concept and not from a central Certificate Authority, which is what is basically the definition of underlying PKI beyond just the public and private key pair. So I just want to finish this off, Alan, with the idea that if you put on a Venn diagram, Blockchain or consensus-based technologies that are distributed and PKI, which is a centralized Certificate Authority based system, I like to look sometimes at the very center of the Venn diagram and that center of the Venn diagram right now, from an SSL standpoint, as Tim pointed out, and you pointed out earlier, the idea behind that is that we, we do in fact have in our history, people that have proposed public key infrastructure, publicly trusted certificates, infrastructure that is distributed. It didn't go very far because of the entrenchment of how things work today, but where we are seeing something interesting is actually in distributed domains, which is none ICAN-based domains. Right. And so therefore, who is providing the equivalent of SSL for those? It's actually a distributed ID. Right? So, in other words, that's interesting and, therefore, as Tim says, there's a lot of different kinds of nails out there. Well now we're even talking about whole different concepts of buildings where the nails are being used. It's really amazing. And I think, Alan, where we need to go with this is something more pure, right? Go down to a really centralized concept such as can you create a distributed Certificate Authority where, you know, for many tasks and many toolings something that is centralized makes a lot more sense and that's where PKI lives today, but are there use cases where a distributed concept of a Certificate Authority exists? And I think there are protocols such as REM and others that are trying to do this. I think they're interesting and I think that may be a future podcast, but if you have any comments about it right now, Alan, I'd love to hear it.

• 

  Alan Grau

  I think if you start from the ground up and say, ok, we're not going to worry about something that replaces all the existing infrastructure, but we're starting, you know, from the ground up. Is there a way to do things differently, you know, and if so, does Blockchain have a role and can we build something that's maybe not universally better, but is, but is great in certain use cases then, yeah, think there start to be some really interesting things there and yeah, there are definitely some initiatives around the IoT, in the IoT space around these types of projects, as well as the one that you just mentioned with REM.

• 

  Tim Callan

  So, I think that this is a great future podcast topic. Alan, I think we're going to have to talk you into coming back to talking about that. Obviously, we don't have time to dig into that whole deep subject today, but that is really interesting juicy stuff and I want you both to promise me that we will find time to return to that because it's really an interesting topic.

• 

  Jason Soroko

  Yeah, Tim. I think we've got distributed domains, distributed CAs, a lot of podcast topics coming out of this.

• 

  Tim Callan

  Yeah. So that's great. Why don't we leave it there for now? Listeners, teaser…got to keep watching because we're going to get into these exciting ideas. Alan, as always, thank you for joining us.

• 

  Alan Grau

  Thanks, Tim.

• 

  Tim Callan

  Jay, as always, it's fun. Thank you once again.

• 

  Jason Soroko

  You got it, Tim. Take care.

• 

  Tim Callan

  And, thank you to the listeners. This has been Root Causes.