IC as Certified Authority

I want my canister to issue SSL certificates, so later these certificates could be used for HTTPS connection with the IC’s pubkey as a root issuer. Is this possible?

Hey @senior.joinu,

That’s not possible for a couple of reasons from my understanding:

  1. BLS signatures are not supported by TLS AFAIK
  2. You currently can’t sign custom messages, i.e. x.509 certificate with the IC, but you can only use certified data.
  3. We use another data structure for delegations.

The other approach would be using tECDSA:

I’ve written a few sentences about this here: grant-rfps/requests-for-startups.md at main · dfinity/grant-rfps · GitHub

However, here the issue is as well that the secp256k1 curve is currently not supported by TLS.


Do you see it ever becoming possible to build a decentralized certificate authority on the IC?


You can build it now with tECDSA, just not for the web PKI. There are other applications for certificate authorities (enterprise infrastructure, Kubernetes clusters) though, and the secp256k1 curve could be supported there (because it’s. That’s why I think building an ACME server with IC support would be interesting.

It’s a pity that secp256k1, although widely used, is not standardized by NIST. The web PKI does support ECDSA, but only using the secp256r1 curve. It would surely be possible to do tECDSA with that curve as well but I’m not aware of any concrete plans to work on that.

1 Like