Authentication Challenges in a Global Environment.

In this article, we address the problem of scaling authentication for naming, routing, and end-entity (EE) certification to a global environment in which authentication policies and users’ sets of trust roots vary widely. The current mechanisms for authenticating names (DNSSEC), routes (BGPSEC), and EE certificates (TLS) do not support a coexistence of authentication policies, affect the entire Internet when compromised, cannot update trust root information efficiently, and do not provide users with the ability to make flexible trust decisions. We propose the Scalable Authentication Infrastructure for Next-generation Trust (SAINT), which partitions the Internet into groups with common, local trust roots and isolates the effects of a compromised trust root. SAINT requires groups with direct routing connections to cross-sign each other for authentication purposes, allowing diverse authentication policies while keeping all entities’ authentication information globally discoverable. SAINT makes trust root management a central part of the network architecture, enabling trust root updates within seconds and allowing users to make flexible trust decisions. SAINT operates without a significant performance penalty and can be deployed alongside existing infrastructures.