Reading yet another issue with a certificate authority recently (in this case, a French agency being able to masquerade as Google for a MITM attack:
http://arstechnica.com/security/2013/12/french-agency-caught-minting-ssl-certificates-impersonating-google/), I thought about suitable alternatives for protecting privacy and ensuring validity, perhaps in a similar aspect to namecoin.
Essentially, the network itself can act as the Web of Trust; all the clients can have all the knowledge of every 'registered' (tbd) site, existing transaction histories serve instead to validate the domain/site has not been transferred to another party, and nobody can sweet-talk/hack a company into providing an illegitimate certificate.
Before I start contemplating the idea too deeply, is there general interest/critical flaws in regards to this? I can think of quite a few issues without thinking too much:
- Must start centralized until the network can 'self-sustain' itself to authenticate addresses (so like a master database - which then stands a chance of being exploited)
- MITM attacks against the authentication process itself - keep using certificates for some things?? In which case, what's the point of this
- Non-instant resolution; certificate setups can just query with the CA and check against a CRL - our method would require the network to respond before ascertaining the result. I guess the OS could be preemptive and download in advance, and clients (i.e. web browsers) query with the OS - but still far from perfect
- And perhaps most importantly - how can the coin correlate to 'earnings' - a coin per 'domain'? Little to no value in doing something like that though. Has to be an incentive; maybe providing a different coin - but that then has a whole host of other issues!
Interested to hear your opinions
And feel free to tell me the idea actually sucks
