. Authentication in open networks usually requires participation of trusted entities. Many protocols allow trust to be obtained by recommendation of other entities whose recommendations are known to be reliable. To consider an entity as being trustworthy, especially if there have been several mediators or contradicting recommendations, it is necessary to have a means of estimating its trustworthiness. In this paper we present a method for the valuation of trustworthiness which can be used to accept or reject an entity as being suitable for sensitive tasks. It constitutes an extension of the work of Yahalom, Klein and Beth ([YKB93]). Keywords: Trust values, Trust measures, Distributed systems 1 Introduction Communication in open networks often requires information about the trustworthiness of the participating entities, especially when authentication protocols need to be performed. If, for example, user A receives a message signed allegedly by user B without having B's verification dat...

This paper investigates the role of trust metrics in attack-resistant public key certification. We present an analytical framework for understanding the effectiveness of trust metrics in resisting attacks, including a characterization of the space of possible attacks. Within this framework, we establish the theoretical best case for a trust metric. Finally, we present a practical trust metric based on network flow that meets this theoretical bound. independent sources of certification, and rejects (by assigning low trust values) assertions with insufficient certification. The previous work raises many questions, including: To which kinds of attack is a trust metric resistant? Which trust metric is best? How well do these trust metrics work? 1

Authentication using a path of trusted intermediaries, each able to authenticate the next in the path, is a well-known technique for authenticating entities in a large-scale system. Recent work has extended this technique to include multiple paths in an effort to bolster authentication, but the success of this approach may be unclear in the face of intersecting paths, ambiguities in the meaning of certificates, and interdependencies in the use of different keys. Thus, several authors have proposed metrics to evaluate the confidence afforded by a set of paths. In this paper we develop a set of guiding principles for the design of such metrics. We motivate our principles by showing how previous approaches failed with respect to these priniciples and what the consequences to authentication might be. We then propose a new metric that appears to meet our principles, and so to be a satisfactory metric of authentication.

This dissertation characterizes the space of trust metrics, under both the scalar assumption where each assertion is evaluated independently, and the group assumption where a group of assertions are evaluated in tandem. We present a quantitative framework for evaluating the attack resistance of trust metrics, and give examples of trust metrics that are within a small factor of optimum compared to theoretical upper bounds. We discuss experiences with a realworld deployment of a group trust metric, the Advogato website. Finally, we explore possible applications of attack resistant trust metrics, including using it as to build a distributed name server, verifying metadata in peer-to-peer networks such as music sharing systems, and a proposal for highly spam resistant e-mail delivery.

Authentication using a path of trusted intermediaries, each able to authenticate the next in the path, is a well-known technique for authenticating channels in a large distributed system. In this paper, we explore the use of multiple paths to redundantly authenticate a channel and focus on two notions of path independence---disjoint paths and connective paths---that seem to increase assurance in the authentication. We give evidence that there are no efficient algorithms for locating maximum sets of paths with these independence properties and propose several approximation algorithms for these problems. We also describe a service we have deployed, called PathServer, that makes use of our algorithms to find such sets of paths to support authentication in PGP applications.

Authentication using a path of trusted intermediaries, each able to authenticate the next in the path, is a well-known technique for authenticating entities in a large-scale system. Recent work has extended this technique to include multiple paths in an effort to bolster authentication, but the success of this approach may be unclear in the face of intersecting paths, ambiguities in the meaning of certificates, and interdependencies in the use of different keys. Several authors have thus proposed metrics to evaluate the confidence afforded by a set of paths. In this paper we develop a set of guiding principles for the design of such metrics. We motivate our principles by showing how previous approaches fail with respect to them and what the consequences to authentication might be. We then propose a direction for constructing metrics that come closer to meeting our principles and thus, we believe, to being satisfactory metrics for authentication. 1 Introduction Determining the owner of...

Authenticating the source of a message in a large distributed system can be difficult due to the lack of a single authority that can tell for whom a channel speaks. This has lead many to propose the use of a path of authorities, each able to authenticate the next, such that the first authority in the path can be authenticated by the message recipient and the last authority in the path can authenticate the message source. In this paper we suggest the use of multiple such paths, no two of which share a common authority, to provide independent confirmation of the message source. We formalize the problem of finding a maximum set of such paths of bounded length in a graph-theoretic framework, in which the problem can be seen to be NP-hard. We propose approximation algorithms for this problem and evaluate their accuracy on a graph induced by a database of PGP certificates. We also introduce the PathServer for PGP, a service for finding maximum sets of such paths to support authentication in ...

With the development of web technology and distributed systems, online collaborations are becoming more common and more demanding. These collaborations require online business trust relationships among collaborating organizations. Online business trust relationships can protect the trust, integrity, and privacy of shared resources, which are the foundation for online business. Web services provide standard mechanisms to enable online interactions and further online collaborations. Yet security, privacy and trust-related protection mechanisms for web services need additional development. In an interconnected network environment, bridging extant business relationships to extend the business circle is a convenient and tempting way. Physical connections with proper privacy and security protections are required for bridging two autonomous organizations. Likewise, collaborating organizations need proper protection mechanisms for bridging extant business trust relationships among cooperating parties. These protection mechanisms must therefore ensure privacy and owner control in the entire process of bridging business trust relationships due to the subjectivity of the relationships. This paper describes an indirect trust establishment mechanism using web service enhancements to bridge and build new online business trust relationships from extant business trust relationships providing privacy protection and owner control simultaneously.

Users in a distributed system establish webs of trust by issuing and exchanging certificates amont themselves. This approach does not require a central, trusted keyserver. The distributed web of trust, however, is susceptible to attack by malicious users, who may issue false certificates. In this work, we propose a method for generating certificate recommendations. These recommendations guide the users in creating webs of trust that are highly robust to attacks. To accomplish this we propose a heuristic method of graph augmentation for the certificate graph, and show experimentally that it is close to optimal. We also investigate the impact of user preferences and non-compliance with these recommendations, and demonstrate that our method helps identify malicious users if there are any.

The conceptual architecture of the access control system described here is based on automatic distributed acquisition and processing of knowledge about users and devices in computer networks. It uses autonomous agents for distributed knowledge management. Agents grouped into distributed communities act as mediators between users/devices and network resources. Communicating with each other, they make decisions about whether a certain user or device can be given access to a requested resource. In other words, agents in our system perform user/device authentication, authorisation, and maintenance of user credentials. 1.