Date: Thu, 12 Feb 1998 08:24:21 -0200 (EDT) From: Ed Gerck To: MCG Subject: The role of trust in certification Suppose we would paraphrase Augustine of Hippo and would discuss: "whether certificates are trustful because they certify, or certify because they are trustful.". Then, like him, we might give the "doubtless reply" that they certify because they are trustful. On one level this is a fairly straightforward expression of the objectivist stance that trust is a quality of the certificate itself, as opposed to the subjectivist stance that trust is relative to the user (or, in other words, "trust is in the eyes of the beholder"). However, the risk is borne by the user (ie, the verifier, the relying party) who is in the subjective stance, so we must reject here the notion that trust is somehow embedded or infused in the certificate and accept that trust must be a concept relative to the user's point of view. Thus, for certificates, "trust is relative to the user" and "certificates are trustful because they certify" -- not the other way around. The logical expression "certificates are trustful because they certify" has a far reaching consequence: that trust on the certificate will be transfered to the user not from the certificate itself (the objective view) but from the user's perceived assurance (which must be received from a different information channel than the certificate itself, such as legal reliance on a CA's CPS, friendship reliance on a PGP's web-of-trust or protocol reliance on the Meta-Certificate Standard) that the certificate will work as desired -- it will certify. Therefore, one may say that a certificate is like a tool, that is trusted because it is expected that it will work, while trust is a result of the user's perceived assurance on a set of declarations. The role of trust in certification is thus to be earned, not merely assigned. Even though other logical unfoldments will be pursued elsewhere, regarding CAs, TTPs, etc., there is one direct (and expected) consequence which is worth mentioning here: In any certification system, what makes a certificate trustworthy is not any magically infused trust from the certificate's issuer (eg, the CA). Rather, a certificate is trustworthy as decided by the user (ie, the party that relies on the information -- who is at risk), based on the trust the user decides to place in the certificate's issuer and as a function of perceived risks, costs, threats, situation, etc. (text sections copied from [1]) Comments are welcome. Cheers, Ed References: [1] "Overview of Certification Systems: X.509, CA, PGP and SKIP" in http://www.mcwg.org/cert.htm [2] "Towards a real-world model of trust" in http://www.mcwg.org/trustdef.txt ______________________________________________________________________ Dr.rer.nat. E. Gerck egerck@novaware.cps.softex.br http://novaware.cps.softex.br --- Meta-Certificate Group member, http://www.mcwg.org ---