Untrusted Third Parties: Key Management for the Prudent


Mark Lomas and Bruno Crispo
Affiliation: Cambridge University
Abstract: The "flavour of the month" in distributed-system security appears to be TTPs (Trusted Third Parties). Bob Morris has described TTPs as "parties who can violate your security policy without detection". Instead, I prefer to think of parties who may be privileged, in the sense that they can perform acts that you and I can't do, but whose actions may be audited. I call these "Untrusted Third Parties".

I should perhaps make it clear that a party may be trusted but untrustworthy or trustworthy but not trusted. The fatal mistake in security system design is to assume that the terms "trusted" and "trustworthy" are synonymous.

We have been building untrusted key certification and revocation services and an explicit audit policy that allows us to determine whether these services have misbehaved. Interestingly, such distrust may be of benefit not just to the customer, but also to the service provider.

For more information, contact mark.lomas@cl.cam.ac.uk.