I'm trying to understand how to perform authentication in an P2P network without a central server. Given a network with no central trusted unit and a PKI, how can one be sure of the authenticity of the public keys?
Usually the public keys would be signed by some central trusted authority which guarantees the authenticity of the keys. However, in a P2P network without a central server no such unit exists. This raises the question on how to trust the authenticity of the public keys.
Is it possible to use a web of trust approach? How many peers must sing a public key before it can be trusted?
Is it possible to use a distributed ledger or a block chain?
Is there alternatives to an PKI in this scenario?
Example of the problem:
A user, userA, can generate his key pair and propagate his public key on the network. Then a second user, userB, can generate a new key pair and propagate the public key on the network claiming it belongs to userA. Then when I want to send a message to userA, I will find two public keys. The one generated by userA, and the fake one generated by userB. Without a central trusted unit to sign the key I will have no way of knowing which key actually belong to userA and I may end up communicating with userB believing it is user A.
The question is similar to this one, but hopefully some work have been done last 7 years.
How to perform authentication without central server in P2P?