A guide to being more secure
Trust Model implementation by PKI
A Trust Model is the collection of rules that inform application on how to solve the legitimacy of a Digital Certificate. According to the ITU-T X.509, Section 3.3.54, trust is defined as follows:
“Generally an entity can ‘trust’ the second entity if the first entity makes the assumption that the second entity will behave exactly as the first entity expects.”
For the purpose of describing trust modeling, relative to security architecture methodology, the following principles or elements are offered:
- Trust is a characteristic and quality of a security architecture.
- Trust is a balancing of liability and due diligence.
- Trust is the enabling of confidence that something will or will not occur in a predictable or promised manner. The enabling of confidence is supported by identification, authentication, accountability, authorization, and availability.
- Trust is the binding of unique attributes to a unique identity.
- Trust is defined as a binary relationship or set of compounded binary relationships, based on individual identity or unique characteristic validation.
Now when you want to implement a trust model that can cover all or some of these principles, one of the best ways is Public Key Infrastructure (PKI) and there are four types that are used to implement the trust model with PKI.
A. Hierarchical Trust Model: The hierarchical model or tree model is the most common model to implement the PKI. A root CA at the top provides all the information and the intermediate CAs are next in the hierarchy, and they only trust the information provided by the root. The root CA also trusts intermediate CAs that are in their level in the hierarchy.
This arrangement allows a high level of control at all levels of the hierarchical tree this might be the most common implementation in a large organization that wants to extend its certificate-processing capabilities. Hierarchical models allow tight control over certificate-based activities.
B. Bridge Trust Model: In Bridge Trust Model we have many P2P relations between RootCAs that the Root CAs can communicate with each other and allow cross-certificates. This implementation model allows a certification process to be established between Organizations (or departments).
In this model, each intermediate CA trusts only the CAs above and below it but the CA structure can be expanded without creating additional layers of CAs. Additional flexibility and interoperability between organizations are the primary advantages of a bridge model.
C. Hybrid Trust Model: Sometimes you need to link two or more organizations or departments in some part and separate other segments. When you need to make trust in some parts of two organization but you don`t want to be this trust in other segments of your organization. In these times the Hybrid Trust Model can be the best model for you. You can be extremely flexible when you build a hybrid trust structure and the flexibility of this model also allows you to create hybrid environments.
Notice that in this structure, the intermediate CAs which are out of the hybrid environment can trust only to direct Root CA and Intermediate CAs in the hybrid environment, trust to all Root CAs that connect to any intermediate CA in the hybrid environment.
D. Mesh Trust Model: When you want to Implement a Hierarchical Trust Model with cross-certification checking or a web of Root CAs, the mesh trust model is your best choice. In the other sights, the mesh model migrates the concepts of bridge structure with multi-paths and multi Root CAs.
Certifications in each one of Root CAs are authorized in all of Root, Intermediate, and leaf CAs and all end-users that connected to each one of CA chains.
All of these models can use and implement in your organization, base-on your business needs and really maybe a model in an organization is the best way and in another is the worst way and it`s totally dependent on your organization business model, security and trust architecture and more important than these is your mindset.
I hope this article is useful for you and helps you to architect your security and trust model in the best model and structure for your organization and finally please write your comment and feedback to help me, to write better.