Protocol Details #
Current certificate systems protect online communications through the secure delivery of public keys, which correspond to identities, which use the corresponding secret private key to decrypt messages sent to them and prove that they sent messages (by signing them with the private key). Additionally users cannot be sure that their communications have not been compromised by fraudulent certificates that allow MITM (man-in-the-middle) attacks, which are difficult to detect.
DECA’s goal is to ensure that no third party can compromise the integrity and security of the entire system, and is fully capable of providing similar or higher security properties through the use of decentralized data storage consensus technology.
DECA builds on the existence of validators, but their role is limited to ensuring communication security and integrity, by leveraging identifiers in decentralized storage, through a series of algorithms that allow these values to be read globally in a secure way, which This way is less vulnerable to MITM attacks that may occur in PKI. This is achieved by linking the lookup value of a decentralized identifier to the latest and most correct public key for that identifier.
Decentralized OCSP #
As an important information of application identity, digital certificate is very important to ensure network communication trust. Therefore, certificate revocation is critical to mitigate vulnerabilities and potential key disclosure. The certificate holder can revoke an untrusted certificate.
DECA in combination with FEVM, has implemented a decentralized OCSP authentication system. It uses smart contracts to store and verify the status of certificates. The verifier uses certificate identifiers to verify the online status information of certificates through smart contracts, and returns the certificate status information to the verifier. The whole process has no centralized OCSP server. The verifier interacts with the FEVM to achieve decentralized OCSP online certificate authentication.