When you receive an email message that is "signed" with someone's digital ID, how do you know that person really sent the message? Or, when someone receives a message signed with your digital ID, how likely is it that you actually sent the message? A large part of the answers to these questions revolves around the "trust models" that are built into digital identifications. There are two very different trust models that are popular today, a fact that is not well understood by many people using secure email. This article provides a brief overview of the major trust models -- hierarchical and peer – with pointers to further information.Hierarchical Trust
The hierarchical trust model is more common than the peer trust model. It is based on the principle of everyone knowing one common person whom everyone really, really trusts. Imagine the following scenario: You meet someone new at a party. She tells you that her name is Betty Boop. You ask, "How do I know your name is really Betty Boop? I need some proof." Betty says, "Okay. I know that you know Bob Jones over there. You know that Bob knows everyone in the world. Let's go talk to him." You both walk over to Bob. He looks at you and Betty, and assures you that in fact this is Betty Boop. You now believe that you have met Betty Boop, since you trust Bob and he vouched for Betty. This is the hierarchical trust model.
The hierarchical trust model can be extended to include subgroups. Suppose you join a new club called Espresso Lovers Anonymous (ELA). You want to make sure you can trust everyone you meet in the club, so you call up Bob Jones. Bob says the world has become too big and that he no longer knows everyone, including the people in ELA, but he will send Betty Boop in his place. Bob reminds you that he knows Betty and says that you can trust whatever she says about membership in ELA. When you go to the first ELA meeting, you ask Betty to introduce you to the other members. You trust what she tells you because you trust what Bob said about her.
To extend the analogy further, note that you only trust Betty to give you information about coffee lovers. If you join a yoga club (to work off the effects of too much coffee) you would not ask Betty to introduce you to people in that group, because you are not certain she can vouch for those people.
Hierarchical digital IDs work in the same way. There is a top-level trust authority, known by everyone using the IDs. In some cases, there is also an organization-level trust authority, which you believe can vouch for people within a certain subgroup.
The Notes ID system is a hierarchical trust scheme. You trust that a Notes username is valid because you trust the top-level Notes certifier that issued the user's ID file.
Domino allows you to create your own hierarchical IDs for external (non-Notes) email. Using this method is free, so you can avoid paying VeriSign for each ID. The drawback is that the top-level authority (which you create) is not implicitly trusted by everyone you communicate with. Nevertheless, some Domino shops opt to go this route. Details about using Domino as its own Certifying Authority are can be found in E-pro's article archives. .Peer Trust
Peer trust is based on the principle that there is no one who knows everyone, but that people who want to trust each other can find some trusted parties in common. Imagine the party scenario again: You meet Betty Boop and ask, "How do I know your name is really Betty Boop?" Betty says, "Well, there is no one at the party who knows everyone, but if I can find three friends whom we have in common, will you believe me?" You agree that this is reasonable. So Betty and you find three such people and you now trust that Betty is whom she says she is.
The drawback to the peer trust model is that establishing trust is more complicated and time-consuming.
A popular vendor for peer-trust digital IDs is Thawte. The IDs are free. Thawte refers to the peer model as the Web of Trust (WOT). Here is the home page for the Thawte WOT: www.thawte.com.
Here is a FAQ about the WOT.
Chuck Connell is president of CHC-3 Consulting , which helps organizations with all aspects of Domino and Notes. CHC-3 allows companies to outsource their Domino administration needs via DominoAdministration.com and runs the popular security site DominoSecurity.org .
This was first published in February 2003