Stop renewing TLS certificates !
Certificate renewal is a superfluous subscription service that comes in addition to the subscriptions for domain names, it adds unecessary complexity and costs. In order for future web businesses to scale and expose efficiently and securely hundreds of internet facing services, there is a need for radical shift, TLS identities management needs to change.
The Domain Name System
One core technology of the public internet is the Domain Name System. Companies and people can purchase domain names, create subdomains, TXT records and basically use and distribute web services to the world.
The DNS imposes yearly renewals to users (domain name owners). It makes sense because one brand or company may not exist 5 years from now. Renewals enforce that domain names are actively used, or at least endorsed by someone.
Another reason for renewals is economic incentive, since the DNS is managed by many corporations nominated by ICANN, through the purchase and renewal of domain names they earn money and are able to provide trustworthy and resilient services.
What are TLS/HTTPS certificates ?
HTTPS/TLS certificates are the true topic of this article. A TLS certificate is basically a bunch of random characters that are used by browsers and clients to agree on a secret string. This secret is then used (symetric encryption) to encrypt web pages, form data, and doing truly confidential client - server communication.
Why do you renew your certificates ?
You have to renew certificates because you are not responsible of your identities on the secure web (secure web is anything that starts with https://), the companies really responsible for certificates validity and trustworthyness are the Certificate Authorities (Let’s Encrypt, Sectigo etc.). Those companies want to make sure as often as possible that the certificate they signed for adidas.com is still valid.
If it is invalid, it means that someone that is not adidas.com may have the capability to decrypt all the data that is exchanged by browsers and going to adidas.com. It is not good.
The big picture
In order to exist on the web, there are two networks from which we must constantly give proof of our trustworthyness, and eventually pay for that service. Those two networks are the Domain Name (DNS) and Certificate Authorities (CAs) systems. What is even stranger is that the latter (CAs) rely on the DNS to verify identities, the name system is in reality the true identity provider.
Why should we stop renewing certificates ?
Certificate renewal is a superfluous subscription service, that has no justification other than “it has been designed this way to stay compatible with legacy systems”. In addition, since there are so many certificate authorities installed in operating systems (400+ in Microsoft Windows), they provide a protection against man-in-the-middle attack that is insufficient for many businesses, as this paper by security analysts states SSL as an obscure distribution of trust..
Certificate Authorities rely on the name system (DNS) to verify identities, thus the name system could and should directly propose TLS certificate distribution. From the beginning (when we knew that https was about to take over the world of web services) certificate distribution and TLS identities should have been integrated into the name system. Users should be able to directly upload a certificate to their DNS zone and not ask yet another permission through certificate signature requests and renewals. There are of course dozens of reasons why it did not occur (DNS packet size, DNS traffic being insecure by default etc.).
By inviting you to stop renewing certificates, we want to invite you to consider alternative name systems, and particularly the name systems based on blockchain that offer high desintermediation and direct management.
Challenges for the future
User spending worldwide on SaaS went from USD 30B in 2015 to USD 172B in 2022. Web portals, web services will continue to grow and be the target of sophisticated attacks. The security of those services in the current decade will face new challenges. Some companies manage dozens or even hundreds of endpoints and domain names.
Scaling, automation and maximal security will only be achieved with desintermediation. We need less or even no renewals, less third party validations, less payments, less single points of failure and much more simple systems.
We (FABCO the company leading the dappy project) have performed in-depth studies and are working with top analysts in many fields (PKI, DNS, Network Security). The issues and need for shift around TLS identities and domain names management are widely expressed by web businesses and security analysts.
In some way or another every blockchain name system aims at addressing those issues, among them, dappy proposes a new way for certificates distribution and validation, you guessed it, with no need for certificate renewal.