Edit: I now skimmed through the linked architecture overview video and I don't see how that makes authentication any more secure: They seem to build a "distributed storage/management facility" for public keys from what I get from the video. How private keys are handled is nowhere mentioned. So I don't see how that makes anything more secure. From what I understand it might only make the verification part more distributed.
Specifically, what is it offering above, say, self-signed client certificates? From what I've read, you're not adding incontrovertible identity information to the blockchain so what does registering your certificate buy you?
Or put another way, when the server checks your status what do they find out?
I'm not dumb, but I'm also not a crypto expert and have no desire to become one. I also know next to nothing about the blockchain and have no desire to learn because it's not my field. My day-to-day walking around knowledge is already packed with stuff related to my field and I just don't have the bandwidth to also become a blockchain expert just to roll something out. I suspect most people who would potentially be rolling out software that would use a blockchain-based auth library are in the same boat.
As it stands I have absolutely no idea how this thing works or why I would ever want to use it.
As it the empty meaningless words this still can happen:
"Ethereum Classic (ETC) Hit by Double-Spend Attack Worth $1.1 Million"
From what I've found out, to add a block the following happens:
A set of 10 masternodes are randomly selected from the pool of masternodes. The probability of selection is somehow weighted by the node's reputation.
Q. How do the masternodes agree on that random selection?
Once 10 are selected, each creates a block and shares it with the other 9. One is selected.
Q. How do they agree on that one?
The winner gets a reward, adds the block and then the process is repeated. This seems reasonable.
Have I got this right? If so, it strikes me that the strength of the protocol is in the answer to the first question (not sure why there are 2 stages, why not just pick 1?).
> No more passwords — no more break-ins. REMME implements unbreakable, foolproof user authentication to protect your users, employees, and company’s data from cyber attacks.
This is laughable. Nothing is unbreakable. This is using a blockchain so I'd be willing to bet that it's vulnerable to the 51% attack.
This account's post history is also suspicious. They only post articles and links to this project, and do not have any comments (no community engagement).
Does it come with its own 51% exploit?
Yes, it's a product, monetized by yet another crypto-coin: https://remme.io/
you can send coins securely with Ark in less than 8 seconds
>use obscene amount of energy
not in Ark, or any other DPOS
>be vulnerable of 50%+ attacks
what is merged mining, DPOS, renewable energy? the world may never know.
"CertLedger: A New PKI Model with Certificate Transparency Based on Blockchain" (2018) https://arxiv.org/pdf/1806.03914
"TABLE 1: Security comparison of Log Based Approaches to Certificate Management" (p.12) lists a number of criteria for blockchain-based PKI implementations:
- Resilient to split-world/MITM attack
- Provides revocation transparency
- Eliminates client certificate validation process
- Eliminates trusted key management
- Preserves client privacy
- Require external auditing
- Monitoring promptness
... These papers also clarify why a highly-replicated decentralized trustless datastore — such as a blockchain — is advantageous for PKI. WoT is not mentioned.
"Blockchain-based Certificate Transparency and Revocation Transparency" (2018)
Who can update and revoke which records in a permissioned blockchain (or a plain old database, for that matter)?
Letsencrypt has a model for proving domain control with ACME; which AFAIU depends upon DNS, too.