Rethinking PKI: What's Trust Got to Do with It?

Much of the literature related to public key infrastructure (PKI) uses terms such as “trust” extensively and assumes that certification authorities (CAs) are trusted third parties (TTPs). It is certainly true that the best known CAs today are commercial TTPs, and such CAs have played an important role in making the general public aware of PKIs. But, not all PKIs need adopt this sort of CA model, in which relying parties are required to make value judgments about the trustworthiness of the organizations that operate CAs. PKIs are not intrinsically valuable. They are infrastructures that, if successful, facilitate authentication and authorization services based on the use of public key cryptography. Thus it is appropriate to ask questions about these services: In what context are these services being employed? What forms of identifiers are meaningful for the context? Does the context relate to existing physical world, or does it exist only in cyberspace? Are the services offered to anyone, or are they intended for identifiable user populations? Are their existing organizational entities that are authoritative for the authentication or authorization information contained in the certificates issued by the CAs?