Abstract. Public-key authentication based on public-key certificates is a special case of the general problem of verifying a hypothesis (that a public key is authentic), given certain pieces of evidence. Beginning with PGP, several authors have pointed out that trust is often an uncertain piece of evidence and have proposed ad hoc methods, sometimes referred to as trust management, for dealing with this kind of uncertainty. These approaches can lead to counter-intuitive conclusions as is demonstrated with examples in the PGP trust management. For instance, an introducer marginally trusted by a user can make him accept an arbitrary key for any other user. In this paper we take a general approach to public-key authentication based on uncertain evidence, where not only trust, but also other pieces of evidence (e.g. entity authentication) can be uncertain. First, we formalize the assignment and the valuation of confidence values in the general context of reasoning based on uncertain evidence. Second, we propose a set of principles for sound confidence valuation. Third, we analyze PGP and some other previous methods for dealing with uncertainty in the light of our principles.
We introduce a trust evaluation method applicable in a decentralized setting, in which no universally trusted authority exists. The method makes simultaneous use of logic and probability theory. The result of the qualitative part of the method are logical arguments for and against the reliability of an entity. The quantitative part returns the probability that the reliability of an entity can be deduced under the given assumptions and pieces of evidence, as well a corresponding probability for the counter-hypothesis. Our method is a true generalization of existing methods, in particular the Credential Networks. It relies on digital signatures for authenticating messages and accounts for many-to-many relationships between entities and public keys. Moreover, it includes eight different types of trust relations, namely the assumption or the statement that an entity is honest, competent, reliable, or malicious, and their corresponding negations.
This chapter describes the difficulty of managing authenticity and trust in large open networks. Participants of such networks are usually unknown to each other. Questioning somebody’s authenticity and trustworthiness is thus a natural reflex and an important security prerequisite. The resulting problem of properly managing authenticity and trust is an emerging research topic. The chapter proposes a common conceptual framework and compares it to several existing authenticity and trust models. The goal is to increase the awareness that authenticity and trust are not separable and to promote the corresponding two-layer requirement.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.