Ghazal: Toward Truly Authoritative Web Certificates Using Ethereum

  • Seyedehmahsa Moosavi
  • Jeremy ClarkEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10958)


Recently, a number of projects (both from academia and industry) have examined decentralized public key infrastructures (PKI) based on blockchain technology. These projects vary in scope from fullfledged domain name systems accompanied by a PKI to simpler transparency systems that augment the current HTTPS PKI. In this paper, we start by articulating, in a way we have not seen before, why this approach is more than a complementary composition of technologies, but actually a new and useful paradigm for thinking about who is actually authoritative over PKI information in the web certificate model. We then consider what smart contracts could add to the web certificate model, if we move beyond using a blockchain as passive, immutable (subject to consensus) store of data—as is the approach taken by projects like Blockstack. To illustrate the potential, we develop and experiment with an Ethereum-based web certificate model we call Ghazal, discuss different design decisions, and analyze deployment costs.



J. Clark thanks NSERC, FRQNT, and the Office of the Privacy Commissioner of Canada for funding that supported this research.


  1. 1.
    Ethereum development tutorial ethereum/wiki wiki. Accessed 12 July 2017
  2. 2. git - sovereign-keys.git/blob - sovereign-key-design.txt.;a=blob;f=sovereign-key-design.txt;hb=HEAD. Accessed 10 Jan 2018
  3. 3.
    Godaddy owns up to role in epic twitter account hijacking—pcworld. Accessed 13 Feb 2018
  4. 4.
    Home. Accessed 29 Dec 2017
  5. 5.
    Al-Bassam, M.: SCPKI: a smart contract-based PKI and identity system. In: Proceedings of the ACM Workshop on Blockchain, Cryptocurrencies and Contracts, pp. 35–40. ACM (2017)Google Scholar
  6. 6.
    Ali, M., Nelson, J.C., Shea, R., Freedman, M.J.: Blockstack: a global naming and storage system secured by blockchains. In: USENIX Annual Technical Conference, pp. 181–194 (2016)Google Scholar
  7. 7.
    Axon, L., Goldsmith, M.: PB-PKI: a privacy-aware blockchain-based PKI (2016)Google Scholar
  8. 8.
    Basin, D., Cremers, C., Kim, T.H.-J., Perrig, A., Sasse, R., Szalachowski, P.: ARPKI: attack resilient public-key infrastructure. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 382–393. ACM (2014)Google Scholar
  9. 9.
    Bonneau, J.: EthIKS: using ethereum to audit a CONIKS key transparency log. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 95–105. Springer, Heidelberg (2016). Scholar
  10. 10.
    Buterin, V., et al.: A next-generation smart contract and decentralized application platform. White paper (2014)Google Scholar
  11. 11.
    Chase, M., Meiklejohn, S.: Transparency overlays and applications. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 168–179. ACM (2016)Google Scholar
  12. 12.
    Clark, J., van Oorschot, P.: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: IEEE S&P (2013)Google Scholar
  13. 13.
    Durumeric, Z., Kasten, J., Bailey, M., Halderman, J.A.: Analysis of the https certificate ecosystem. In: IMC (2013)Google Scholar
  14. 14.
    Fromknecht, C., Velicanu, D., Yakoubov, S.: Certcoin: a namecoin based decentralized authentication system 6.857 class project (2014)Google Scholar
  15. 15.
    Hardjono, T., Pentland, A.S.: Verifiable anonymous identities and access control in permissioned blockchains (2016)Google Scholar
  16. 16.
    Holz, R., Braun, L., Kammenhuber, N., Carle, G.: The SSL landscape: a thorough analysis of the X.509 PKI using active and passive measurements. In: IMC (2011)Google Scholar
  17. 17.
    Kalodner, H.A., Carlsten, M., Ellenbogen, P., Bonneau, J., Narayanan, A.: An empirical study of namecoin and lessons for decentralized namespace design. In: WEIS (2015)Google Scholar
  18. 18.
    Laurie, B.: Certificate transparency. Queue 12(8), 10 (2014)CrossRefGoogle Scholar
  19. 19.
    Liu, D., Hao, S., Wang, H.: All your DNS records point to us: understanding the security threats of dangling DNS records. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1414–1425. ACM (2016)Google Scholar
  20. 20.
    Luu, L., Chu, D.-H., Olickel, H., Saxena, P., Hobor, A.: Making smart contracts smarter. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 254–269. ACM (2016)Google Scholar
  21. 21.
    Marlinspike, M.: SSL and the future of authenticity. In: Black Hat, USA (2011)Google Scholar
  22. 22.
    Matsumoto, S., Reischuk, R.M.: IKP: Turning a PKI around with blockchains. IACR Cryptology ePrint Archive, 2016:1018 (2016)Google Scholar
  23. 23.
    Melara, M.S., Blankstein, A., Bonneau, J., Felten, E.W., Freedman, M.J.: Coniks: bringing key transparency to end users. In: USENIX Security Symposium, pp. 383–398 (2015)Google Scholar
  24. 24.
    Myers, M.: Revocatoin: options and challenges. In: Hirchfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 165–171. Springer, Heidelberg (1998). Scholar
  25. 25.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)Google Scholar
  26. 26.
    Son, S., Shmatikov, V.: The Hitchhiker’s guide to DNS cache poisoning. In: Jajodia, S., Zhou, J. (eds.) SecureComm 2010. LNICST, vol. 50, pp. 466–483. Springer, Heidelberg (2010). Scholar
  27. 27.
    Syta, E., et al.: Keeping authorities “honest or bust” with decentralized witness cosigning. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 526–545. IEEE (2016)Google Scholar
  28. 28.
    Szabo, N.: Formalizing and securing relationships on public networks. First Monday 2(9) (1997)Google Scholar
  29. 29.
    Topalovic, E., Saeta, B., Huang, L.-S., Jackson, C., Boneh, D.: Towards short-lived certificates. In: Web 2.0 Security and Privacy (2012)Google Scholar
  30. 30.
    Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: improving SSH-style host authentication with multi-path probing. In: USENIX Annual Tech (2008)Google Scholar
  31. 31.
    Wood, G.: Ethereum: a secure decentralised generalised transaction ledger. Ethereum Project Yellow Paper, 151 (2014)Google Scholar
  32. 32.
    Zusman, M.: Criminal charges are not pursued: hacking PKI. DEFCON 17 (2009)Google Scholar

Copyright information

© International Financial Cryptography Association 2019

Authors and Affiliations

  1. 1.Concordia UniversityMontrealCanada

Personalised recommendations