ITU-T X.509 Public-key infrastructure based on blockchain (DPKI)
Cybersecurity and applied game theory
Identity Management
DLT as a trust service
Rec. ITU-T X.509 | ISO/IEC 9594-8 (X.509) is an important cybersecurity standards providing framework for the public-key infrastructure (PKI). X.509 is used for securing banking, health, e-government, power industry and Internet of Things (IoT). It has served well where trust is established by a so-called trust anchor trusted by everyone in the PKI domain. It has proved difficult or impossible to establish a global trust for a wider area. There is an increasing need for having a Pan-European or even a worldwide set of interconnected PKI domains establishing a global trust. The solution for establishing a global trust seems to be trust by consensus rather than on local trust anchors which are not trusted in a wider context. Global trust by consensus implies the use of the blockchain technology for interconnecting PKI domains.
An international standard cannot use current platforms as normative references. An analysis of existing blockchains reveals that we need something like the capabilities of the Hyperledger-Fabric platform, as that platform has a concept of world state database. DPKI needs a directory holding updated certificate status information globally available to users of such information.
PKI information (public-key and attribute certificates) is forwarded to the blockchain to be validated by the node. If successfully validated also by other nodes, they are made available at all nodes on the network. Only genuine information is committed to the ledger.
There can be several reasons for cryptographic algorithms to be replaced. weaknesses may be found in cryptographic algorithms. A future threat from quantum computes may also require migration to post quantum cryptography (PQC). DPKI includes cryptography migration capabilities (crypto agility).
Users may also interface to a node to retrieve PKI information from the DPKI directory function.
ITU-T X.509-8 | ISO/IEC 9594-8, ITU-T X.510 | ISO/IEC 9594-11 and ITU-T X.508 | ISO/IEC 9594-12
Providing worldwide access control based on blockchain technology
Cybersecurity and applied game theory
Identity Management
DLT as a trust service
DLT as trust anchor infrastructure
Rec. ITU-T X.509 | ISO/IEC 9594-8 (X.509) is an important cybersecurity standards providing framework for the public-key infrastructure (PKI). X.509 is used for securing banking, health, e-government, power industry and Internet of Things (IoT). It has served well where trust is established by a so-called trust anchor trusted by everyone in the PKI domain. It has proved difficult or impossible to establish a global trust for a wider area. There is an increasing need for having a Pan-European or even a worldwide set of interconnected PKI domains establishing a global trust. The solution for establishing a global trust seems to be trust by consensus rather than on local trust anchors which are not trusted in a wider context. Global trust by consensus implies the use of the blockchain technology for interconnecting PKI domains.
An international standard cannot use current platforms as normative references. An analysis of existing blockchains reveals that we need something like the capabilities of the Hyperledger-Fabric platform, as that platform has a concept of world state database. DPKI needs a directory holding updated certificate status information globally available to users of such information.
PKI information (public-key and attribute certificates) is forwarded to the blockchain to be validated by the node. If successfully validated also by other nodes, they are made available at all nodes on the network. Only genuine information is committed to the ledger.
There can be several reasons for cryptographic algorithms to be replaced. weaknesses may be found in cryptographic algorithms. A future threat from quantum computes may also require migration to post quantum cryptography (PQC). DPKI includes cryptography migration capabilities (crypto agility).
Users may also interface to a node to retrieve PKI information from the DPKI directory function.
ITU-T X.509-8 | ISO/IEC 9594-8, ITU-T X.510 | ISO/IEC 9594-11 and ITU-T X.508 | ISO/IEC 9594-12
Providing world-wide decentralised directory service based on blockchain
Cybersecurity and applied game theory
Identity Management
DLT as a trust service
DLT as trust anchor infrastructure
Rec. ITU-T X.509 | ISO/IEC 9594-8 (X.509) is an important cybersecurity standards providing framework for the public-key infrastructure (PKI). X.509 is used for securing banking, health, e-government, power industry and Internet of Things (IoT). It has served well where trust is established by a so-called trust anchor trusted by everyone in the PKI domain. It has proved difficult or impossible to establish a global trust for a wider area. There is an increasing need for having a Pan-European or even a worldwide set of interconnected PKI domains establishing a global trust. The solution for establishing a global trust seems to be trust by consensus rather than on local trust anchors which are not trusted in a wider context. Global trust by consensus implies the use of the blockchain technology for interconnecting PKI domains.
An international standard cannot use current platforms as normative references. An analysis of existing blockchains reveals that we need something like the capabilities of the Hyperledger-Fabric platform, as that platform has a concept of world state database. DPKI needs a directory holding updated certificate status information globally available to users of such information.
PKI information (public-key and attribute certificates) is forwarded to the blockchain to be validated by the node. If successfully validated also by other nodes, they are made available at all nodes on the network. Only genuine information is committed to the ledger.
There can be several reasons for cryptographic algorithms to be replaced. weaknesses may be found in cryptographic algorithms. A future threat from quantum computes may also require migration to post quantum cryptography (PQC). DPKI includes cryptography migration capabilities (crypto agility).
Users may also interface to a node to retrieve PKI information from the DPKI directory function.
ITU-T X.509-8 | ISO/IEC 9594-8, ITU-T X.510 | ISO/IEC 9594-11 and ITU-T X.508 | ISO/IEC 9594-12
Bio
Erik Andersen is an independent consultant and the owner of Andersen's L-Service, based in Denmark. He holds a Ph.D. in Civil Engineering and has an extensive background in telecommunications and IT standardisation.
He spent 27 years at IBM as a system engineer, primarily focusing on telecommunication products. In 1980, IBM appointed him as its representative in Danish Standards, where he played a pivotal role in standardisation efforts. He later became the chair of the Danish committee for Open Systems Interconnection (OSI) standardisation, actively participating in numerous international ISO/IEC meetings.
Following his tenure at IBM, he remained engaged in international and European standardisation, contributing significantly to organisations such as EWOS, a subgroup under CEN. For over 15 years, he served as the rapporteur within ITU-T for the question responsible for the ITU-T X.500 series. Subsequently, he shifted his focus to technical work and, for more than 15 years, has been the project editor for the ITU-T X.500 series, including ITU-T X.509.
Dr. Andersen has extensive expertise in protocol analysis, development, and specifications, along with a strong background in cryptographic algorithms. He possesses in-depth knowledge of Abstract Syntax Notation One (ASN.1), as defined in the ITU-T X.680 and X.690 series of recommendations, which are essential for data type definitions and protocol specifications.
On June 28, 2024, he was honored with the IEC 1906 Award in recognition of his outstanding contributions to cybersecurity standardisation within IEC TC 57 WG 15.
Title & Organisation Name: Independent consultant with one-man company Andersen's L-Service, Denmark
Country: Denmark
