Professional Documents
Culture Documents
Guide to Trust
Services
What's New
This guide examines trust services from the
Reference perspective of open information interchange. It
Business Guides has the following structure:
Standards List
Standards Fora List 1. A System of Trust
RTD Project List 2. Trusted Third Parties
3. The Building Blocks of Trust
News 4. Examples of Trust Services
Electronic Commerce
Information Management
This guide should be read in conjunction with the
Information Society RTD
Standards Conferences Diffuse Guide to Information Security, which
provides further information on the guidelines,
User Support criteria and technical building blocks for the
Index management and use of trusted third party
Search services, as well as guidelines on the
Help Desk management of information security in general.
Background 1. A System of Trust
About IST
About Diffuse
Diffuse FAQ
A System of Trust is an environment whereby
RTD Initiatives entities (Administrations, Businesses,
IPR Statement Consumers) may trade or transact with each
Disclaimer other with the confidence that all entities are who
they claim to be, conduct business in accordance
with their functional obligations, and in which all
exchanges between parties are secure.
It should be noted that 'security' is a subjective
term, but may be defined as an acceptable
balance of threats against safeguards for a
particular circumstance. Central to a system of
trust is an acceptable level of security for a given
task or activity. Further information is provided
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 2 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 3 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 4 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 5 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 6 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 7 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 8 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 9 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 10 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 11 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 12 of 27
following subsections:
! Archive: The deposit of information
! Timestamping: Providing evidentiary time
stamps to records or transactions
! Non-repudiation: Ensuring evidence of
transmission or origination
! Entity authentication: Ensuring the
correctness of the entities involved
! Notary: The attestation that something has
been done
! Audit: The recording of some action
! Reliability assessment: An entity advising
others who receive digital signatures about
the reasonableness of reliance on those
digital signatures
! Message corroboration service: A person
who creates a hash result to fix the message
content and then timestamps the message
and/or hash result. Message corroboration
relates only to message content and timing
and does not include a digital signature, so it
provides no evidence of the origin of the
message
! Information brokering: An intermediary in
the relationship between the user of
information and the provider
! Payment and billing: Taking payment from
users of information and other electronically
distributed goods on behalf of providers, for
example a copyright use and billing service
! Financial responsibility service: A person
aiding a certification authority in satisfying
the financial responsibility requirements.
Such a person could be a surety issuing a
bond, a bank issuing a letter of credit or a
liability insurance carrier.
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 13 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 14 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 15 of 27
! Non-repudiation of origin
! Non-repudiation of delivery
! Non-repudiation of submission
! Non-repudiation of transport.
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 16 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 17 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 18 of 27
mechanism.
The validity and authenticity of the public key
are therefore most important. How such a key is
securely obtained is outside the scope of this
process. The public key could be obtained by
using a certificate distributed by a TTP or by
some other means mutually agreed by the entity
and the verifier. Authentication may be both
unilateral and mutual.
Entity authentication mechanisms are often
designed around 'zero knowledge' classes of
mechanisms are:
! Identity based, where a trusted accreditation
authority provides secret accreditation
information which is a function of the
claimant’s identity
! Certificate based, where a claimant has a
public, private key pair and the verifier a
trusted copy of the claimant's public key --
this may be by using a certificate signed by
a TTP).
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 19 of 27
! APIs
! Smart Cards
! Labelling
! Privacy Practices.
3.2 APIs
APIs need to be available for a number of
cryptographic service interfaces in support of
trust services, including:
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 20 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 21 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 22 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 23 of 27
3.4 Labelling
The precise content of information which is
exchanged between parties is often unknown in
advance. Thus, even if a recipient is assured of
the source and the delivery through specific TTP
mechanisms, the final content may be unwanted.
Labelling is a means of describing what is in the
content associated with the label without users
having to open the container to examine the
contents. The key to a labelling system is the
kind of data provided in the label and what the
data in the label actually says. Both are crucial
for identifying the content to the user and to
enable the user to decide whether he wishes to go
a step further: to open the container and access
the content. In addition, rating and filtering, as
specific applications of labelling, are processes
which would enhance the provisioning of trust
services.
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 24 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 25 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 26 of 27
http://www.diffuse.org/trust.html 7/6/2003
Diffuse Guide to Trust Services Page 27 of 27
http://www.diffuse.org/trust.html 7/6/2003