Why are PKI relationships based on ‘trust’?
This is a good question. We often say we do business with particular people (or organizations) because we can ‘trust’ them. But what we mean is not so specific, rather it is warm and fuzzy. Commercial trust is based upon experience – has the business relationship been good – do we deliver – do we go the extra mile – do we like each other when we meet – and so on. It is not always about a specific person, although it might be. On the Internet it is really hard to ‘know’ who you are really dealing with. Hackers have shown us how easy it is to appear to be someone else on e-mail or how easy it is to get us to send their mail to our contacts without even knowing it. Since you can’t see the person at the other end of the connection, you have to have some trust that they are who they claim to be. So that is really what is meant by trust. Unfortunately, some people have had the idea that being able to trust a digital identity (digital signature) can be extended to trusting that they can order
