Trust Authorities: A Dynamic Trust Model for the Internet

Seeds of thought

Public-key cryptography based certificates with their off-line mindset do not match the requirements of our modern always-online environment.

Today, trust on the internet is created with public-key cryptography based digital certificates.

When you access an e-commerce web site, you expect to see the lock icon in your browser indicating that the site is secure.

There are many problems with the status quo:

• Current browsers have a long list of Certification Authorities (CAs), most of whom are small and unknown to the user. It is questionable if all of them should be implicitly trusted for certifying any web site in the world.
• Certificates have been granted to the wrong parties by the CAs, largely negating the trustworthiness of the whole system. As the certificates can not effectively be whitdrawn once created, the problem can not be solved easily. Revocation lists are not checked by most software using digital certificates.
• Unfortunate selected expiry dates (Dec 31, 1999) for CA certificates for some browsers taught people to click "Use this web site anyway" and ignore the warnings.

The PKI certificate designs and protocols predate the connected world of the internet. They have been designed for an off-line world, where it is critical to be able to check the certificates off-line without contacting the certification authority, and this design criteria has resulted in a system which does not match our online world very well.

The requirement for off-line checking of trust is not critical in our always-online society; When you're surfing to a web site, you are online already; Wireless devices are bringing always-on connectivity to the world at an amazing speed.

The benefits from an online check of trustworthiness far outweight the small cost of doing the checking itself.

Instead of using static certificates issued for long periods of time by CAs, we can use a dynamic Trust Authority to check the trustworthiness of a party when a transaction is started.

The dynamic nature of TA checking also allows for collecting user feedback, dynamic changing of trustworthiness levels and instant revocation of trust when necessary.

Speaking the users language The CA-based systems in use today use complex technical jargon the user does not understand. Especially with something as important as trust, it is important to be able to communicate with the user proficiently. It seems that the strict valid/invalid mindset, without the vague levels of trust of our real world, of the CA way of doing things contributes to this problem. Because of this, every mishap with the system reduces significantly the level of trust people place in it. It should be possible to say This site is mostly reliable, users have given a rating of 4.8/5, read them here instead of just showing a lock icon.

Users can select a few TAs they trust and then use the decisions of those TAs when going from service to service.

The TAs may work together; If one of them does not know the resource, they might send a reply to the user We do not know about X, but Y says they are OK and Y has in our experience been reliable.

Tha TA service could be offered by current insurance companies or credit card companies. They already work in the environment of changing and vague levels of trust and probabilities and prices for a variety of different outcomes.

They could offer a guarantee that if something goes wrong they will re-imburse the user if the trust level presented was not wrong.

Doing one TA transaction (a small single request) when dealing with a web site (loading many web pages) is implementable already in today's networks.

It is possible to use short-lived certificates to reduce network requests when the user frequents the same place often, or provide a level of service even when the user is off-line I am not able to check this party at this time, but you have used the same site 75 times before without problems.

Generally, social problems (trusting an unknown party) can not be solved completely with some magic technology. There has to be an understanding of how the human thinks and supporting the vague and constantly changing levels of trust that humans are used to live with.