Using the blockchain to notarize digital records isn’t an obvious choice to many people. They wonder why it can’t be done with traditional PKI techniques. It can, but there are several advantages to using a blockchain. First, a blockchain removes dependence upon any certificate authority or trusted 3rd party. Second, independent time-stamping creates important security benefits.
Here is a more detailed answer below.
Integrity and Authenticity
When giving a recipient a digital record, the issuer includes the recipient’s public key and signs everything with their private key. A record of this transaction (and a hash of the content) is anchored on the blockchain. The record given to the recipient contains the Merkle proof linking the credential with a specific blockchain transaction.
This is used to establish integrity of the record; i.e. that it hasn’t been tampered with. Additionally, the recipient-owned public key embedded in the record allows the recipient to prove ownership.
To establish authenticity, one must establish that the issuer owned the issuing key at the time the credential was issued. This is why a reliable timestamp is needed, expanded on below.
A reliable timestamp is clearly important in cases of credentials that expire, but it is also critical for a practical reason – the issuer must be able to rotate issuing keys, on a regular basis as part of security best practices, but more critically in response to a key leak.
To determine that a record was issued by a specific issuer when the issuing key was valid requires knowledge of the timestamp beyond anything written into the credential itself. Why? Because if the private key was leaked, there is nothing to prevent an attacker from issuing fake records and backdating the content. That means, even if an issuer has publicly revoked the record, an independent verifier would not know the difference between a valid and invalid record unless there were some additional authority attesting to when the transaction took place.
TSA vs Blockchain
Independent time stamping could be done through a trusted authority (TSA) – more commonly used in a PKI solution – but that places a dependency on a trusted third party.
On the other hand, the blockchain provides permanent, reliable time stamping by design. It would require massive computational effort – rewriting the entire blockchain – to tamper with the timestamps. So blockchain-based timestamps can prove existence of data at a certain point in time. Because the blockchain is a distributed ledger, it is not dependent on a trusted authority to provide reliable information. This improves general availability, the ability to independently verify, and it eliminates having a single point of failure.