[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Auth]Authorization Certificates

From: Nick Lothian
Subject: RE: [Auth]Authorization Certificates
Date: Thu, 19 Jul 2001 13:27:41 +0930

> "Vinko Vrsalovic B." wrote:
> > Can the links be identified?
> > 
> > Can you tell the user that the place is where he is trying to obtain
> > X is trusted by A, B and not D?
> > 
> > And can you tell the server that the user X is trusted
> > by servers A, B and not D?
> > 
> > I think that if PKI is going to be the one, you must tell
> > people who trust who, so they can make choices based on that.
> hi, all. I have recently published a draft of what i had in mind for
> 'Trust'. it is designed with Jabber Identity in mind (
> ), but you can easily port 
> it over to
> another system.
> it explains 'links' or 'lines' of trust, and how they can be used.
> by the way, Kent Gnuyen also of this list has been working on 
> a similar
> concept, which he calls "The Web of Trust".

The best working implementation of a trust matrix is (as I expect most of
you know) Advogato ( Raph Levin
( - the site's owner) is working on his
PhD in this area (

The IBM Haifa research labs are also working in this area
(, and have some
good research papers available.

Trust matricies in a centralised environment (where you can always request
trust ratings from a single server) are fairly well understood. In an
untrusted decentralised envrionment they are tricky, however, because the
attack-resistance of the system depends on the number of valid trust links
available. Since you can't trust any node other than yourself, you need to
get trust ratings from lots of other nodes and do the trust calculations
yourself, rather than relying on calculated trust values for branches.

This is a slow system, because it requires lots of network connections to
lots of nodes which may or may ot exist.

AFAIK, there have been no successful implementations yet.

However, if someone can figure out a way to make it work (and do the math to
prove it), then trust matricies could be really useful tool, because they
are the only known way of determining if you can trust a resource without
knowing anything else about it.

  Nick Lothian

reply via email to

[Prev in Thread] Current Thread [Next in Thread]