Distributed Identity Management Infrastructure
Many of the services on which we depend on the Internet where designed at a time when communications security was not as much a concern as it is today. As security became increasingly important, existing services where augmented and retrofitted with security features and protocols. The toll was increased complexity and increasing difficulty to manage and maintain the resulting protocol stack. Specific examples are the design of DNSSEC based on the original DNS augmented with PKI technology from the X.509 standard (PKIX). Another example is the proliferation of SSL/TLS as the go-to technology to establish encrypted communication, which relies on PKIX as well. Unfortunately, PKIX is dominated by a few large players and the practice of PKIX has become the target on significant criticism over technological, organizational and market failures.
When search engines emerged, user behavior changed. Users began to type only significant parts of a domain name into the search field and clicked on the appropriate link in the search results in order to navigate to the intended site. This eventually led to the fusion of search fields and URL bars into a single field, for example, Chrome’s Omnibox. The latest step in the evolution of omniboxes is to shun domain names in favor of displaying components of distinguished names from Extended Validation certificates.
We argue that this paradigm shift ultimately allows us to 1) replace human-readable but insecure names with secure but random-looking identifiers, and to 2) disentangle, replace and simplify the existing stack of Internet services related to name services and security. We refer to our proposed replacement as CryptID.
Register for updates
Secure Identity Research Group
Institut für Informatik
Freie Universität Berlin
Takustraße 9, 14195 Berlin