At 3:32 PM -0700 6/14/02, Einar Stefferud wrote: >Ok, we are getting somewhere now. > >So, I ask, where does trust come from in PKI if not from >transmission via some 3rd party CERT issuer, which I understand to >be a use of transitivity of trust from the CERT buyer, though the CA >to the relying party. > >Maybe this is is erroneous thinking, but if so, please explain how >the trust information is passed from the CERT holder through the CA >to the cert recipient who will use if as a basis of trust. To me, >this looks like transitivity. > >A trusts B; C Trusts A; therefore C trusts B???? > >Cheers...\Stef Stef, A public key cert is a digitally signed attestation by a CA, binding attributes to a public key. It is a digital credential. We deal with physical credentials all the time and in most cases we don't ask whether we trust the issuer of the credential to correctly issue the credential, although there are exceptions. More often we worry about the integrity of the credential pre se, e.g., how hard is it to forge a credential. I feel that the term "trust" is appropriately applied to certs when the CA is not authoritative for the attributes in the cert, but is not appropriate when the CA is authoritative. By analogy, we normally do not say that we "trust" an employer to identify its employees or the U.S. State Dept. to identify U.S. citizens. They are authoritative as credential issuers and thus the term trust, while potentially applicable, is not commonly applied, i.e., it is implicit. Steve