[632] in WWW Security List Archive
Re- Hierarchies and Webs of
daemon@ATHENA.MIT.EDU (Joe Tardo)
Tue Apr 25 20:54:45 1995
Date: 25 Apr 1995 13:08:00 -0700
From: "Joe Tardo" <joe_tardo@genmagic.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Subject: Time: 12:14 PM
OFFICE MEMO Re: Hierarchies and Webs of Trust Date: 4/25/95
Hal Finney writes:
> The big difference I see is that the web of trust at least as implemented
> in PGP is "non transitive". That means that there is no mechanism to
> follow a chain of trust from one signer to another. If A signs B's key,
> and B signs C's, then just because I trust A as a signer that gives me no
> basis to conclude that C's key is valid, and in fact PGP has no support
> for this kind of reasoning.
> With the hierarchical approach, OTOH, there is the assumption that trust
> is transitive in this sense. If RSA signs the key of MIT, and that key
> signs the MIT computer-science department key, and that key signs the
> key of some member of the CS department, then if I trust the RSA hierarchy
> I do conclude that the final key in the chain is valid. The reason is that
> (as I understand it) RSA, in signing the MIT key, is not just saying that
> the key in fact belongs to someone at MIT, but also that the owner of that
> MIT key will itself only sign keys correctly and responsibly. So I
> don't have to evaluate the trustworthiness of every key in a certificate
> chain; rather, there is an implicit promise on the part of each key that
> the key below it is trustworthy. This conclusion is aided by the fact
> that the hierarchy is not expected to be too deep, probably no more than
> three or four levels at most.
The "hierarchical approach" you are referring to is that used by PEM, based on
X.509. This builds on a lot of structure to constrain what you refer to as
"transitivity".
With the "hierarchical approach," the assumption is that interior nodes are
CA's and leaf nodes are not. From the naming attributes, you can tell
syntactically what (e.g., OU= vs. CN=) names are which. This lets you
"parse" a certificate chain, assuming, of course, that the CA's only certify
proper CA's further down the food chain, where "proper" means "according to
understood policy".
In your example, you could enter the hierarchy at the MIT root key if
you had your own trusted copy of it, use it to verify a departmental (OU)
key (you trust how this CA runs its business), and use that to verify a
member (CN) certificate. You would not confuse a random student's
certificate for a CA.
The "big difference" is that the pgp web of trust builds on no such
structure, for better or worse. There are no CA's or everybody's a CA,
depending on how you look at it.
Joe
