This paper describes the ICE-TEL Trust Model, which is a merging of the PGP [6] web of trust and the X.509[7]/PEM [8] hierarchy of trust models. Each user has a Personal Security Environment (PSE) in which he stores the public keys that he trusts. This will always contain his own public key, and if he is part of a certification hierarchy, the public key of the CA at the top of his hierarchy and the public key of the CA that certified him (these two CAs may be the same or different CAs, depending upon the depth of the hierarchy). In addition, the user may add to his PSE the public keys of remote users and remote CAs that he trusts. It is a local issue how the PSE is protected, but self signed certificates are one way of securing the public keys and related information. It is a local issue how the public keys are obtained, but out of band means are recommended. All CAs and users within a given CA hierarchy are governed by the same security policy, and hence form a security domain. If the user operates to different levels of security i.e. is a member of different security domains, it is a local issue whether he has one PSE for each domain, or a combined PSE that stores the security domain/policy with each key (V3 certificates support the latter). Similarly, if a CA operates to different levels of security, it is a local issue whether the CA produces separate certificates in accordance with each policy, or one certificate validated to the highest security level, but also containing the policy OIDs of the lower security levels. (Issue for discussion at the workshop. Is this as secure or not? If not, or if it introduces other problems, then we can mandate that they are kept separate.)
The term "trusted point" is used to refer to the CA at the top of a CA hierarchy and also to an individual user that is not part of a certification domain. CAs may cross certify other trusted points, provided that the security policy of a remote domain fulfills its criteria for trust, as detailed in its cross certification policy. Cross certification may be one-way or mutual (cf. authentication).
Each trusted point must keep a local cache of (or pointer to) the list of cross certificates that it has issued. Each user must keep a local cache of (or pointer to) the certification path from its trusted point to its own public key certificate. (If a user is a member of multiple security domains then he will keep one path for each domain.) This aids the creation of complete certification paths from one user to another both within and between security domains.
References [1] Details about the author can be found at http://www.salford.ac.uk/its024/chadwick.htm [2] Details about the ICE-TEL project can be found at http://www.darmstadt.gmd.de/ice-tel/ [3] The draft ICE-TEL trust model can be found at http://fw4.iti.salford.ac.uk/ice-tel/trust/trust.doc [4] The ICE-TEL basic security policy can be found at http://www.darmstadt.gmd.de/ice-tel/euroca/policy.html [5] The Internet Firewalls report can be found at http://fw4.iti.salford.ac.uk/ice-tel/firewall/ [6] Stallings, W. "Protect Your Privacy: the PGP User's Guide". Englewood Cliffs, NJ: Prentice-Hall, 1995. ISBN 0- 13-185596-4 [7] "Information Technology - Open Systems Interconnection - The Directory - Authentication Framework" ISO-IEC STANDARD 9594:1993-8 | ITU-T X.509, 1993 [8] Kent, S. "Privacy Enhancement for Internet Electronic Mail: Part II: Certificate Based Key Management", RFC 1422, February 1993