Try OpenEdge Now
skip to main content
Core Business Services - Security and Auditing
Security : Public-Key Infrastructure (PKI) : Trust relationships and supporting mechanisms : PKI trust model
PKI trust model
To help ensure trust, a PKI relies on a standard trust model that assigns to a third party the responsibility of establishing a trust relationship between any two communicating entities. The model used by a PKI is a strict hierarchical model. At the top is a publicly (or privately) recognized source (authority) that everyone using the PKI recognizes and trusts to validate (authorize and certify) the identities that are part of the PKI. Under this authority might exist subordinate authorities that rely on the top (root) authority as the ultimate source of authorization and certification.
The mechanism that is typically used to convey or validate this authorized identity is the digital certificate. The authority that is entrusted with issuing digital certificates for the purpose of authorizing and validating identity is a Certification Authority (CA, also often referred to as a Certificate Authority). Again, CAs can be organized in a hierarchy of authority with the ultimate authority at the top being the root CA of that CA hierarchy. The strength of a CA rests entirely on the agreement between the holder of an identity that is authorized by the CA on one side and those who communicate with the holder of that identity on the other side to trust the integrity of the CAs authorization of that identity. Among other requirements, the most important is that this identity must be unique to the identity holder, and all parties involved must trust the CA to guarantee this to the extent possible.
Standards have been developed to define digital certificates, and the most widely accepted standard is the X.509 portion of the ISO and CCITT/ITU-T X.500 suite of standards. However, given that a PKI adheres to such a standard and CAs exist to authorize X.509 digital certificates, the problem still remains for users of the PKI to determine what constitutes a trusted CA, a CA that they can trust to authorize digital certificates and assure the identities that they represent. The industry supports reputable public CAs, such as RSA, Thawte, and Verisign. However, there are other public CAs and many more private CAs from which the PKI user must choose.