\section{Trust Systems} \label{sec:related-trust} \subsection{PGP Key Servers} \footnote{This section was written by Brian Sniffen.} Pretty Good Privacy is a general-use public-key cryptography tool. It provides for encrypted and signed communication. Users exchange their public keys by means of widely-publicized servers: \begin{quotation} Public Key Servers exist for the purpose of making your public key available in a common database where everybody can have access to it for the purpose of encrypting messages to you. While a number of key servers exist, it is only necessary to send your key to one of them. The key server will take care of the job of sending your key to all other known servers.\cite{pgpfaq} \end{quotation} Each public key on the key servers is signed by people who can verify, by some means, that the person whose name is attached to a key actually controls the associated secret key. Users who download a public key from the servers set two parameters within their own installation of PGP: \begin{itemize} \item Confidence that this key represents the user whose name is attached. \item Confidence that this person exercises good judgment in signing other people's keys. \end{itemize} By means of these two values, a network of trust is established. PGP serves as an effective means of communication, and has established a good infrastructure for safely exchanging keys. It fails due to user interface problems: most notably, each key to be accepted as an introducer requires informed attention on the part of the user. As a result, it has not become widespread enough to be generally useful. \subsection{Netscape Certificate Authorities} Many commercial web sites wish to ensure that visitors can communicate with them securely. Some also want to strongly verify the identities of their visitors. Certificate Authorities (CAs) exist in a multi-rooted hierarchy. A handful of top-level authorities certify most commercial sites; such sites are then able to establish session keys with their users. Some such sites issue personal certificates to their users. The flaw here is that users are locked into trusting the established CAs. A user can't decide that he trusts his friends to certify things, but not VeriSign. \subsection{AOL Instant Messenger} AIM\cite{aolim} is a popular messaging client. In order to avoid harassment, users are allowed to file a complaint about those who have sent them messages. Users who accumulate a certain number of complaints per unit time are automatically disconnected from the service. The problem here is that \emph{every} AIM user is therefore trusting \emph{every} other AIM user to act as a censor. AIM has had numerous problems with this complaint feature being used to deny service to various targets. \subsection{Internet Relay Chat} The IRC network establishes trust based on a very simple model: IP addresses. A common technique among crackers on IRC is to flood the host of a victim, temporarily knocking him off the network. While the victim is thus distracted, the cracker spoofs packets from the victim to an IRC server, giving privileges to himself and removing them from the victim. When the victim returns to the network, he is now unprivileged, and is subject to further attacks by the now-privileged cracker. Clearly, non-cryptographic trust models are not useful against modern adversaries. \subsection{Mobile Agents for Network Trust} MANET\cite{manet} is a DARPA project to produce ``a compromise-tolerant structure for information gathering.'' The motivation is to create a system whereby untrusted networks can cooperate to fight against ``mobile adversaries'': adversaries who move from one network to another. The MANET project attempts to avoid the problem of corrupted servers by requiring several servers to weigh in on a subject with direct evidence before action is taken. This approach is, even in the eyes of the MANET authors, somewhat na\"ive. MANET relies on correct execution of mobile code \subsection{Publius} The Publius system\cite{publius} has an implicit trust model entirely divorced from reality: there is a static set of servers, all of which are widely and publicly known. Documents are staticly stored on several of these servers, having been split using Shamir's Secret Sharing Algorithm. If one of these servers is corrupted, it is assumed it will be replaced. It is possible to turn Publius into an informal but workable system with a very small amount of work: if the servers are all publicly known, then an informal trust network can be put into place. Create a discussion forum, called perhaps \texttt{alt.anonymous.publius}. Sites which wish to become servers advertise here; if users discover that a server has been corrupted, they can denounce it in that forum. Of course, this system provides no formality or assurances whatsoever.