Skip to main content

Build Your Own Trust Chain

We have added the ability to create custom trust chains in Certisfy that are verifiable independent of the Certisfy PKI root. These trust chains will lack the identity component of trustworthy Certisfy certificate so owners of such chains are responsible to implementing their own identity procedures.

Receivers of claims from such custom trust chains will have to whitelist (bookmark in Certisfy) the root certificate in order for claims from those certificates to pass verification. Use cases for custom trust chains are many.


Software package supply chain trust

There is currently an ongoing challenge around software supply chain security, ie developers integrate software libraries and components into their own applications and solutions are faced with the prospect of unwittingly including malicious vulnerabilities.

The problem ultimately boils down to the difficulty of ensuring the people who have write access to these packages are trustworthy. This would remain an ongoing problem requiring not just core due diligence by package owners and maintainers but the general ecosystem monitoring. Even after vetting a contributor, it is still possible they are malicious/compromised.

Another front related to this challenge has to do with AI instruction packages, ie packages such as agent skills. Packaging AI instructions via skills and distributing for general use is likely going to be a key way to scale AI utility by making it possible for more users to leverage the work of others. 

If one person has done the work of packaging instructions and supporting material (including code) for a given task, it makes sense to facilitate the re-use of that effort.

Distributed trust solutions via cryptographic trust chains are not a silver bullet but could certainly help a lot. 

In Certisfy, you can create certificates that support delegation and use that to implement your own trust chain. For instance any well-known and trusted entity/individual can create a root certificate and via delegation build a trust chain from that root. 

Each trust chain is free to institute its own rules/procedures for validating and issuing certificates. The Certisfy toolkit is flexible. Users can whitelist trusted roots both in Certisfy or through third-party SDK integrated solutions.

Git for instance supports verification for commits but that doesn't support any delegation mechanism by default. You can however use a key on a trusted chain for commits thus making that mechanism much more flexible, or embed your commit signing public key onto a trusted chain certificate. 

In other words a verifier can verify a git commit signature, then validate that the issuer of the signature is on a trust chain they trust.


Non-Technical Use cases

There are countless no-technical uses cases that follow a delegated authority approval structure that works well when implemented as a trust chain. These can be both long-run processes or short projects or just fun activities.


Nothing described above requires something like Certisfy, you can achieve some of the same things with openssl and a cli tool for instance, the Certisfy value prop at least in this context is UX, especially as it relates to trust delegation.

Here is a demo of how one use these capabilities:


 

Comments

Post a Comment

Popular posts from this blog

From a secrecy model of information security to a usage authentication model

We continue to be plagued by data breaches, password and credit card dumps, healthcare records...etc. One of the reasons many of these breaches continue to be devastating and effective for cyber criminals is because our current information use infrastructure/architecture relies on secrecy as the primary mode for preventing the misuse of information. Secrecy simply means only the people who have the right to use a bit of information have access to it, when that assumption breaks down as it does with data breaches, the related information can lose some or all its value. For instance a compromised credit/debit card number means getting a new number. A compromised password database means changing the passwords...etc Secrecy has its use as a privacy preserving mechanism but is fairly flawed as an information usage authentication mechanism. The idea of secrecy as the mechanism for controlling the use of information is deeply ingrained, so much so that even people who should know better often...
Post a Comment
Read more

How to prevent being scammed via phone calls using Certisfy

Just as we are plagued by data breaches because of our reliance on secrecy as our model of trust assertion instead of just-in-time information verification, we are similarly plagued by scams related to our inability to verify unknown contacts.  Calls, text messages, emails, etc from unknown sources are now a major source of scams, cyber extortion and such. As was demonstrated here , Certisfy stickers backed by cryptographic certificate signatures can address this type of trust problem too. If for instance your doctor's office or other place of business that you have a legitimate business relationship with calls you, they can simply begin the message with a sticker code such as below. You can put that sticker code in the Certisfy app and verify the identity and related information, including for the contact source identifier (phone number, email address...etc).  If a message doesn't start with a verifiable sticker code, you drop it immediately, this effectively kills all such ...
Post a Comment
Read more

The dubiousness of digitized signature services

Notice I referred to "digitized" instead of digital, this is a very important distinction. These services essentially offer ways to transport handwritten scribbles into digital processes. They can be anything from attaching a Microsoft paint scribble or a scan of one written on a piece of paper, to custom font generation that makes  your signature look like you are a former president of the united states. I wont mention any such services by name but if you've purchased a house or engaged in any sort of contract paperwork activity (leases..etc) you have likely encountered these services. Last I checked, one of these companies is worth north of $40B, no doubt reflecting the size of the market for such services. First, what is the purpose of any signature? as the name suggests, it is primarily to ascribe provenance to something, be it an abstract thing such as a legal agreement expressed in writing or a physical object such as a painting. We also use the notion of signature ...
Post a Comment
Read more