How is CA Trust Calculated in PKI Trust Center?
One of the objectives of PKI Trust Center is to help users decide the amount of trust they can place in a recognized certification authority (CA). In practice, this help is offered via a rating that indicates the degree of trust that can be placed in the CA based on the policies this CA follows to issue certificates.
Why do not all recognized certification authorities listed in PKI Trust Center have a trust rating of 100%? Because to get the rating, an algorithm is used that takes into account parameters of the certification policies that are related objectively to the concept of trust, such as the size of the digital certificate key or whether the registration process requires the physical presence of the digital certificate owner.
PKI Trust Center uses data mining techniques to calculate an initial rating automatically; they also have the capacity to learn as the users of the applications provide their own ratings on the CAs, in line with the philosophy of Web 2.0 applications.
The catalog benefits from this progressive learning as the trust that certain current certification practices deserve can change over time owing to, for example, the evolution of security mechanisms or legal regulations.
The progressive learning process of the data mining algorithm that infers the trust rating of the certification policies is achieved simultaneously in two ways:
- Expert users can assign a rating to a policy that is different to the value calculated automatically. Thus, the system gains experience and learns from changes made, adapting automatically to provide a more refined result from the moment the changes are made.
- The number of reference parameters for performing the calculation, and the value ranges they can take, can be increased. Thus, the application progressively gets more information, and the result of the automatic calculation is closer to the real perception of trust that users have of each of the policies.
In the first version of PKI Trust Center, several of the CA certification policies had a trust rating that appeared low (about 30 out of 100). This was because, even though the parameters of the certification policies were acceptable, they did not always correspond to the maximum security, and the algorithm had still not learnt from user contributions. Obviously, users found it strange that the objective rating of recognized certification authorities was so low, for which reason it was necessary to apply a correction factor to the trust ratings.
Thus, in PKI Trust Center version 1.1, all the policies of the recognized CAs in the catalog fall within the trust range of 50 and 100. Obviously, over time, the current policies may become obsolete and the algorithm will assign progressively lower values.
A use case of the PKI Trust Center trust ratings can be found in Interidy Identity Provider's “Import from X.509” functionality. If it is found that the digital certificate was issued using a policy with a rating greater than the threshold (currently 50 out of 100), the information is regarded as having come from a trusted source, and, therefore, the data is considered verified.
