summaryrefslogtreecommitdiff
path: root/content/technical/about-trust-assertions.md
diff options
context:
space:
mode:
Diffstat (limited to 'content/technical/about-trust-assertions.md')
-rw-r--r--content/technical/about-trust-assertions.md130
1 files changed, 130 insertions, 0 deletions
diff --git a/content/technical/about-trust-assertions.md b/content/technical/about-trust-assertions.md
new file mode 100644
index 0000000..41e2428
--- /dev/null
+++ b/content/technical/about-trust-assertions.md
@@ -0,0 +1,130 @@
+Title: About Trust Assertions
+Date: 2010-10-13
+Tags: technical, security, gnome
+Slug: about-trust-assertions
+
+I've been working on some specifications for storage of 'trust'. This a
+sufficiently vague and abstract concept to require a hoity toity name:
+*Trust Assertions*
+
+Trust assertions are used to assign an explicit level of trust to a
+public key or certificate. I'll just refer to certificates below because
+that's the easiest to grasp, but the concept is sufficiently abstract to
+allow trust assertions for other types of keys.
+
+Examples of trust assertions include:
+
+- Certificate Authority root certificates
+- Certificate Revocation Lists
+- Certificates you decide to trust manually (for your favorite self
+ signed certificate)
+- Certificates marked bad explicitly
+
+Trust assertions are not about the process of deciding whether you'll
+eventually trust a certificate. Ultimately an application needs to
+determine trust a certificate for a given connection, email or instant
+message. It does this by checking if it's valid, who it's signed by, and
+an obscene amount of other rules. It usually does this with the help of
+a crypto library.
+
+Only the application has all the information necessary to make a trust
+decision. A simple example of this is how web browsers check that the
+common name (ie: `CN`) of the certificate matches the domain name of the
+`https://` website you've browsed to.
+
+Trust assertions are about storing basic facts that applications use in
+their trust decision process.
+
+ **The Concept** 
+
+A trust assertion describes a level of trust in a certificate for a
+given usage or purpose.  Conceptually each trust assertion is a triple
+containing:
+
+- Certificate Reference
+- Usage (aka purpose)
+- Level of Trust
+
+We examine each of these parts of the triple in further detail below.
+
+**The Level of Trust**
+
+A trust assertion ultimately denotes a level of trust. These are:
+
+- Untrusted: The certificate is explicitly untrusted.
+- Unknown: The trust is not known and should be determined
+ elsewhere.
+- Trusted: The certificate itself is explicitly trusted.
+- Trusted Delegator: The certificate is trusted as a certificate
+ authority trust root.  Trust is conferred to certificates that
+ this certificate has signed, or that signed certificates have
+ signed, and so on.
+
+**The Usage**
+
+A trust assertion always refers to a specific purpose or usage.  A
+certificate may be trusted for purposes like: email, code signing,
+authenticating a server.
+
+It turns out that carte blanche trust not a super useful concept. You
+(should) always trust someone for some purpose. You trust your bank
+with your money, not your children; you trust your school with your
+children, and so on.
+
+**The Certificate Reference**
+
+And finally we have the certificate that the trust assertion refers
+to.
+
+
+Pretty boring stuff actually. But it does get exciting. By comoditizing
+trust storage, we can use these well defined concepts for new methods of
+trust decision making.
+
+The way certificate authorities work in your web browser scares a lot of
+people. By changing to a more general trust storage model, we have the
+possibilities for applications to try out new trust paradigms. One
+example is the have-I-seen-this-key-at-this-site-before trust model,
+used by OpenSSH. But I'm certain that more methods will emerge as more
+energy is brought to bear on the problem.
+
+Okay enough hand waving, and back to earth.
+
+The [specification I'm working on][] defines how to store trust
+assertions as PKCS\#11 objects. This isn't a new concept, and has been
+[implemented in Mozilla's NSS][] for a long time. However as far as I
+can tell it hasn't yet been documented.
+
+
+<div
+style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
+
+After some prodding (thanks Nikos) I figured I'd do some work to
+document it properly.
+
+</div>
+
+<div>
+
+</div>
+
+
+GNOME Keyring is completing its implementation of trust assertions. For
+a long time now, we've had simple read-only trust assertions that
+exposed everything in <span class="Apple-style-span"
+style="font-family: 'Courier New', Courier, monospace;">/etc/ssl/certs</span> as
+a trusted delegator (ie: a certificate authority).
+
+But now we're working on rounding out the support on the [trust-store
+branch of gnome-keyring][].
+
+[Cosimo][] is working on XTLS to encrypt jabber chats in empathy, and so
+the trust-store work will help store certificate exceptions in
+gnome-keyring.
+
+</p>
+
+ [specification I'm working on]: http://thewalter.net/git/cgit.cgi/pkcs11-trust-assertions/tree/draft-pkcs11-trust-assertions.xml
+ [implemented in Mozilla's NSS]: http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/util/pkcs11n.h
+ [trust-store branch of gnome-keyring]: http://git.gnome.org/browse/gnome-keyring/tree/?h=trust-store
+ [Cosimo]: http://blogs.gnome.org/cosimoc/