Trust


Secure systems try to take things that are untrusted and add to them so that users or systems can confidently and safely interact. If it were possible, they would eliminate trust altogether by providing an environment where nothing is uncertain or potentially harmful. Because this isn't possible, secure systems treat almost everything as though it were an adversary.

Message digest functions and digital signatures improve trust by making it possible to test the integrity of information or authenticate parties so that a system can respond appropriately if something is wrong. Although secure systems are on guard for most things, they do trust certificate authorities. It's helpful to understand how these systems use trust with digital certificates.

Because there are many certificate authorities, subjects that want to interact with each other using certificates might have difficulty if they trust different certificate authorities.Several trust models have been defined to resolve this issue.

In the X.509 trust model, certificate authorities are organized hierarchically. Figure 10.5 illustrates a hierarchy of certificate authorities.

Figure 10.5. X.509 defines a hierarchical relationship in its trust model.

graphics/10fig05.gif

The most trustworthy CA is known as the root CA. It issues certificates to the CAs that are subordinate to it. These CAs might also issue certificates (to subjects or other CAs), resulting in a certification chain. For a subject to validate its key to another, the subject must present its own certificate, along with the certificates for all the CAs in its certification chain, to the other party. That party will attempt to find a CA that it trusts at the proper level in the hierarchy. If it finds one, it will determine that the subject's key is valid. For example, A and B both trust the ROOT CA. B and C both trust CA2.

Hierarchical trust models sometimes do not model real-world relationships. X.509 provides for some flexibility in this regard by allowing CAs to cross-certify. Figure 10.6 illustrates a scenario in which a certificate authority, CA1, has cross-certified with another certificate authority, CA3. In this case, A and B can validate each other's keys more directly.

Figure 10.6. X.509 certificate authorities might cross-certify with each other.

graphics/10fig06.gif

Although X.509 requires that only certificate authorities issue certificates, other models of trust permit ordinary users to create their own certificates; in effect becoming their own CA.

Two models of trust are common:

  • Direct trust In the direct trust model, a user trusts that another's key is valid because the user is certain that the key came from its source.

  • Web of trust The web of trust model comes from Phil Zimmermann, the designer of the popular Pretty Good Privacy (PGP) software. In this model, a key is valid if it has been "signed" by one or more PGP users that have validated the identity of the key owner.

Figure 10.7 shows a web of trust that includes four users.

Figure 10.7. The PGP web of trust model.

graphics/10fig07.gif

In this example, Carol and Alice signed each other's key when they met at a key-signing party, where Carol and Alice verified their identities. Carol had met Bob previously. At that time, Carol verified Bob's identity and signed Bob's key. However, Carol forgot her identification, so Bob did not sign Carol's key. In this web of trust, Alice and Bob can validate each other's keys, because Carol has validated both of their keys. Now that Alice trusts Bob, she can also trust Dave because Bob and Dave trust each other.

A unique feature of the web of trust model is that, as other user's public keys are added to the keyring (a place where users store certificates), the keyring owner can assign a trustworthiness level. In our previous example, if Alice assigned Carol's public key (on Alice's own keyring) a trustworthiness level of untrusted, Alice cannot validate Bob's key. If more than one key were available to validate Bob's key, PGP would use the sum of the trustworthiness levels to determine if enough trust was present among all of them to validate the key.

PGP is used solely for the secure exchange of email, but the web of trust is an interesting trust model to developers of peer-to-peer software. The decentralized nature of the web of trust and its relative simplicity make this model potentially useful.

Note

PGP is extremely popular software used to secure email. It integrates rather nicely with most popular email programs. For more information, you can visit http://web.mit.edu/network/pgp.html or http://www.pgpi.org/.




JavaT P2P Unleashed
JavaT P2P Unleashed
ISBN: N/A
EAN: N/A
Year: 2002
Pages: 209

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net