Chains of trust

Chains of trust play an important role in digital processes. Just like in everyday life, the question is: who trusts whom, and why? The relationship isn’t necessarily symmetrical: party A may trust party B, but B doesn’t necessarily trust A. However, the relationship usually is transitive: if party A trusts party B and party B trusts party C, then A can also trust C. These chains of trust also play an important role in the digital world

Bob wants to interact with Alice via an electronic channel. Ana gives him her public key. Bob wants to check Alice’s identity and make sure that the public key he has received really belongs to her. Ana sends Bob a certificate that has been digitally signed by the certification authority C. Bob can check the validity of the certificate using this signature S from C and C’s public key. The certificate Z is a dataset that contains Alice’s name and public key. By this method, C confirms that the public key belongs to Alice. However, Bob doesn’t trust C.

Bob can now check the next link in the chain of trust and verify whether another trustworthy certification authority R will confirm that C’s public signature really belongs to C. C sends Bob a certificate that has been digitally signed by R. Bob can check the validity of the certificate using this second signature from R and R’s public key. The second certificate is also a dataset. This one contains the name and public key of the certification authority C. By this method, R confirms that this public key belongs to C. Bob trusts R, and can now also trust C.