Company X deploys a fleet of connected IoT devices with capabilities of Hardware Root of Trust, in which the private keys are integrated into the devices.
The System Administrator of Company X has an account registered on the blockchain.
He will need to install a special firmware (or just modify an existing version of it) on the IoT device (i.e.: a CCTV camera). It should generate a pair of keys in the device.
At this point, the SysAdmin obtains device public-key and stores it on the blockchain using his account. The device is able to send the public-key by itself, but it needs access to the account. As an alternative, this could be done via a service where blockchain account keys are pre-installed.
Now the SysAdmin is able to set up a secure encrypted connection with all the CCTV cameras that he needs. In case he needs to revoke camera's public keys, he can do so by using the private key of his blockchain account.
The blockchain account
It has a pair of the public/private keys which the user generates with one of the project libraries on his device. The account enables to store public key on the blockchain as well as revoking them. Using the pair of keys of just one account, you may store on the blockchain as many public keys as you need. In blockchain technology, there are several ways to secure access to your account, for example, multi-signature.
Why should devices trust each other without a CA signature?
In this scenario, the Admin will send a request to the blockchain for storing the public keys of each of the two devices and will install private keys on each of them respectively. This way the admin is responsible for providing the correct public key connecting two devices/applications. Nobody can store a public key which was previously added to the blockchain.
What do you think about the case described? Are there any weaknesses which hackers can spot?
And what's about a service that can help to provide such certificates for admins and developers who are not willing to interact with the blockchain directly? Would you use such a service, if it were available?
Here you can have a look at a protocol able to perform the services described, other than a Public Key Infrastructure.