What is Trust Model in Public Key Infrastructure
A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate. There are two types of trust models widely used.
– 1. HIERARCHICAL
– 2. WEB-OF TRUST
Hierarchical also called as CA model is the foundation for most of the certification systems. It is also considered as traditional model in use by giant certification authority. In this model certificate users hand over their trust element to CA instead of trying themselves to prove the authenticity of digital certificate. Once you are assured that CA you are dealing with is trust worthy indirectly you are agreeing to trust every other certificate the CA guarantees for.
In Hierarchical trust model CA is at the top level and trust flows from top to bottom way down to the end user. This feature of hierarchical trust model do not burdens end user to prove their authenticity. One important thing to note that CA you trust is cross-certifying another CA’s PKI. Hence your system will automatically accept certificates of that CA as well. In practical situation it is advisable to have knowledge of CA`s practices as it will prevent you from accepting certificates from strangers.
2. WEB-OF TRUST
In web-of -trust there is no centralized organization making the decisions. The users themselves decide whom to trust on their personal experiences and knowledge or on suggestions and opinion of other individuals they trust. Web-of-trust are well know for its implementation in PGP.
If someone you already know provides you their public key then it’s safe to tell your application that the key is trustworthy. This achieved by signing the key. When other user receives your public key they determine the keys you have signed. Now if they decide to trust you and sign you key, they are in turn tryst you and other entities you trust. This is the way WEB-OF TRUST expands.
The entire process is handled by PGP servers which holds database of keys and the signatures that have been added regularly. Web-of-trust works great for small organizations. Only disadvantage of web-of-trust model is when one user signs bad keys whole group is affected.