Designing a Global Authentication Infrastructure

We address the problem of scaling authentication for naming, routing, and end-entity certification to a global environment in which authentication policies and users’ sets of trust roots vary widely. The current mechanisms for authenticating names (DNSSEC), routes (BGPSEC), and end-entity certificates (TLS) do not support a coexistence of authentication policies, affect the entire Internet when compromised, cannot update trust root information efficiently, and do not provide users with the ability to make flexible trust decisions. We propose a Scalable Authentication Infrastructure for Next-generation Trust (SAINT), which partitions the Internet into groups with common, local trust roots, and isolates the effects of a compromised trust root. SAINT requires groups with direct routing connections to cross-sign each other for authentication purposes, allowing diverse authentication policies while keeping all entities globally verifiable. SAINT makes trust root management a central part of the network architecture, enabling trust root updates within seconds and allowing users to make flexible trust decisions. SAINT operates without a significant performance penalty and can be deployed alongside existing infrastructures.

💡 Research Summary

The paper tackles a fundamental weakness in today’s Internet authentication ecosystem: the reliance on monolithic or flat trust‑root models for DNSSEC, BGPSEC/RPKI, and TLS. In the “monopoly” model a single global root (e.g., ICANN for DNSSEC) must be trusted by everyone, creating a single point of failure. In the “oligarchy” model, hundreds of root CAs are treated as equal authorities, which means a compromise of any one can affect the entire world, and users have no practical way to select or change the roots they trust. The authors argue that these models violate several desirable properties for a globally connected user: isolated authentication (compromise should be contained), trust agility (easy selection and modification of roots), trust mobility (the same trust decisions should work everywhere), global verifiability (any reachable entity should be authenticable), transparent authentication (the user should see which roots are involved), and update efficiency (root changes should propagate quickly without software updates).

To address these gaps, the authors propose SAINT – a Scalable Authentication Infrastructure for Next‑generation Trust. SAINT’s cornerstone is the concept of Isolation Domains (ISDs). An ISD is a collection of autonomous systems that share a common set of trust roots and policies for routing, naming, and end‑entity certification. ISDs can correspond to natural groupings such as countries, corporations, or consortia. By confining the authority of a root to its ISD, a breach in one domain does not automatically jeopardize others, thereby achieving isolated authentication.

SAINT introduces Trust Root Configuration (TRC) files. A TRC contains the public keys, policies, and metadata of all trust roots belonging to a particular ISD. Crucially, TRC files are disseminated using the same distribution channels as routing updates (e.g., BGPSEC UPDATE messages) and DNS responses. Because routing updates already propagate within seconds across the Internet, TRC files inherit this rapid dissemination, giving the system update efficiency. Users can obtain a new TRC file at any time (e.g., by downloading it from a trusted source) and instantly switch their trust anchor set, providing trust agility without requiring OS or browser upgrades.

Cross‑signing is the mechanism that stitches together the otherwise isolated ISDs. When two ISDs have a direct routing link, their respective trust roots must issue cross‑certificates that sign each other’s TRC files. This requirement guarantees that any reachable destination lies on a path of ISDs that have mutually cross‑signed their roots, thereby establishing a chain of signatures from the user’s home ISD to the destination ISD. The chain gives global verifiability (any reachable entity can be authenticated) and transparent authentication (the user can see exactly which ISDs contributed signatures). Because cross‑signing is limited to ISDs that actually exchange traffic, the system avoids the unrealistic expectation that every country or organization will certify every other.

SAINT separates routing authentication from service authentication (names and end‑entity certificates). Routing authentication relies on the RPKI/BGPSEC infrastructure within each ISD, while service authentication starts from the user’s home TRC and follows the cross‑signed ISD chain to the target. This separation eliminates circular dependencies that plague current RPKI deployments and allows trust decisions made in one location to remain valid elsewhere, fulfilling trust mobility.

The security model assumes an adversary capable of suppressing, replaying, or injecting routing, DNS, and TLS messages, and possibly compromising the private keys of one or more trust roots. Under standard cryptographic assumptions, SAINT limits the impact of such a compromise to the ISD that owns the compromised root. The compromised root can be revoked by issuing a new TRC file, which propagates quickly via routing channels, restoring security within minutes.

Performance evaluation (briefly reported) indicates that the additional cryptographic checks for cross‑signing and TRC verification add negligible latency to name resolution or TLS handshakes, and the extra routing state is modest compared to existing BGPSEC extensions. Because SAINT builds on existing protocols rather than replacing them, incremental deployment is feasible: operators can introduce ISDs, publish TRCs, and begin cross‑signing without breaking current DNSSEC, BGPSEC, or TLS services.

In summary, SAINT re‑architects Internet authentication by (1) partitioning the global network into trust‑isolated ISDs, (2) delivering trust‑root information via fast‑propagating TRC files, (3) requiring cross‑signing only between directly connected ISDs, and (4) cleanly separating routing from service authentication. These design choices jointly satisfy the six target properties identified by the authors, offering a path toward a more resilient, user‑centric, and globally scalable trust ecosystem. Future work suggested includes automated ISD formation, optimization of TRC distribution, and integration with legacy PKI ecosystems.