Various models have evolved over the years for establishing trust in distributed systems. Some key models are explained below.
Implicit Trust Model
In this trust model, there are no explicit mechanisms for validation of credentials. An example is an e-mail originating from a sender. It is assumed in most cases by the recipient, particularly in a known domain, to have been actually sent by the apparent sender. This exhibits an implicit trust model. In today’s digitally secure e-mail world there is a lot of spam and fraud, and hence this model does not ﬁt in completely in a business realm. It also depends on the criticality of the underlying data. This trust model is also known as an assumptive trust model. This model is unobtrusive and inexpensive but is also prone to higher risks and susceptible to frauds. The trust relationships that are formed are complex and governed by a lot of human and technology factors.
Explicit Trust Model
This model of trust is used when we perform an entity conﬁrmation in isolation without dependence on any other entity or preexisting credentials. This is the most commonly used trust model in the industry. The biggest advantage of an explicit trust model is that the authentication of the credentials is done using self-reliant mechanisms without any delegation. This leads to a higher degree of trust, with every entity associated with the trust mechanism. This trust model is required to reduce the liability of organizations and also to comply with regulatory policies.
The most common examples of explicit trust models are password-based authentication or even the PKI architectures. The password authentication is controlled by the host system and may have multiple underlying authentication algorithms. In a typical PKI architecture, the CA initiates all trust relationships. The CA is the common trust entity that performs all original entity authentications and the generation of credentials that are bound to speciﬁc entities. Though this model provides a high level of trust, it requires more effort and is traditionally expensive. However, this model is a prerequisite for ﬁnancial transactions like payment gateways and e-commerce.
Intermediary Trust Model
This model of trust is used when trust or ‘proof of trust’ is transmitted through intermediaries. It is commonly used in peer-to-peer and distributed systems. An example would be the following: You are throwing a party and you invite friend B through a direct trust model. Friend B in turn comes with his friend C. If you trust friend C, it would mean you have switched to an intermediary trust model. The intermediary trust model can be complex and extremely contextual. There can ‘n’ levels associated with an intermediary trust model. It also involves selective associative trust models based on certain policies for certain contexts. Enterprises today use an intermediary trust model within their own boundaries, but use it selectively with business partners and the extended enterprise.
Published on Wed 29 March 2017 by Millie Johnson in Security with tag(s): trust models distributed