Versions Compared

Old Version 19

changes.mady.by.user Eve Maler

Saved on

compared with

New Version 20

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

Table of Contents

Introduction

The Blockchain and Smart Contracts Discussion Group was launched in July 2016. This report from the group offers recommendations and observations to Kantara Initiative covering the following scope:

...

Definition: Certificate Transparency is an experimental protocol for publicly logging the existence of Transport Layer Security (TLS) certificates as they are issued or observed, in a manner that allows anyone to audit permits monitoring of certificate authority (CA) activity and notice the detection of mis-issuance of suspect certificates as well as to audit the certificate logs themselves.  The idea is that clients should refuse to honor certificates that do not appear in a log, effectively forcing providing incentive for CAs to add all issued certificates to the logs.  Uses  Merkel hash chaining is used to prove the order of events and the existence of transactions.

Benefits: Provides consequences for poor operational security at certificate authorities by increasing the chance of detecting improperly issued certificates.

Weaknesses: Requires widespread buy in before incentives work, privacy tradeoffs with publicly attesting to every certificate issued.The current approach to PKI is vulnerable to the threat of mis-issuance, which allows malicious actors to impersonate valid web sites and perform Man In The Middle (MITM) attacks.  The PKI trust model requires all parties to rely on the proper issuance of certificates by CAs, but does not provide a mechanism for monitoring compliance or enforcing remedial actions when noncompliance is discovered.  If CAs operate with insufficient security, malicious actors can obtain fraudulent certificates through social engineering, insider attack or external hacking.

Certificate Transparency (CT) addresses these flaws by providing the capability to detect, prevent, and enable remediation of certificate mis-issuance.  Monitoring of logs provides detection of mis-issuance.  Logging deters CAs from poor security.  If monitoring detects potential mis-issuance then certificate revocation can remediate the problem.  The protocol is implemented and under active development. The base protocol is specified in IETF RFC 6962, with additional gossip protocols being developed as IETF Internet Draft draft-linus-trans-gossip-ct. As of this draft there are ten log operators (the tenth was added yesterday), and Google Chrome has implemented enforcement for some certificates.

Ethical Diamond Trade

Ethical sourcing of minerals is a challenge in a world in which many natural resources are located in countries without strong civil society and worker's protections.  In the diamond trade, this issue is addressed through the Kimberley Process Certification Scheme (KPCS), a process established by the United Nations in 2003 to prevent "conflict diamonds" from entering the wholesale market in rough diamonds.  The process involves countries that import or export rough diamonds issuing paper based certificates attesting that the diamonds are not conflict diamonds, defined as "rough diamonds used by rebel movements or their allies to finance conflict aimed at undermining legitimate governments". 

Problems with current approach: 

  • Kimberley Process Certificates have a known forgery problem. As paper based certificates without modern anti-counterfeit technology, they are vulnerable to fraudulent issuance.  There is no verification process for confirming the authenticity, and every country has their own format for certificates.  The KP enforcement pagelists several countries of caution whose certificates should not be blindly trusted.
  • Due to the definition of "conflict diamond", the arrangement protects the rights of governments to control the diamond trade, rather than protecting the working conditions of legitimately mined diamonds.  The world bank report on conditions in the extractive industries shows numerous reports of fully authorized mining operations with appalling working conditions.  Beyond the scope of the KPCS, there are efforts, funded by Apple and by the German civil society group GIZ, to promote the registration of small scale miners for their protection and to support documentation of supply chain all the way to the source (source: 2014 Diamond Development Initiative Annual Report).

Ways for blockchain to improve current approach:

  • import/export transactions recorded on a public ledger allowing the attestation to be done in a verifiable and accessible manner
  • issue blockchain based credentials to support identity registration of small scale miners, record chain of custody of diamonds from source to export 

CommonAccord

...owner: Jim...

CommonAccord is an initiative to create global codes of legal transacting by codifying and automating legal documents, including contracts, permits, organizational documents, and consents. We anticipate that there will be codes for each jurisdiction, in each language. For international dealings and coordination, there will be at least one "global" code.

...

...list all contributing authors here...