Trusted third party
|
In cryptography, a trusted third party (TTP) is an entity which facilitates interactions between two parties who both trust the third party; they use this trust to secure their own interactions. TTPs are common in cryptographic protocols, for example, a certificate authority (CA).
An example
Suppose Alice and Bob wish to communicate securely — they may choose to use cryptography. Without ever having met Bob, Alice may need to obtain a key to use to encrypt messages to him. In this case, a TTP is a third party who may have previously seen Bob (in person), or is otherwise willing to vouch that this key (typically in an identity certificate) belongs to the person indicated in that certificate, in this case, Bob. In discussions, this third person is often called Trent. Trent gives it to Alice, who then uses it to send secure messages to Bob. Alice can trust this key to be Bob's if and only if she trusts this Trent. In such discussions, it is simply assumed that she has valid reasons to do so.
Actual practice
How to actually arrange for actual (trustable) third parties of this type is an unsolved problem. So long as there are motives of greed, politics, revenge, etc, the humans who perform (or supervise) the work done by such an entity will provide potential loopholes through which the necessary trust may leak. The problem, perhaps an unsolvable one, is ancient and notorious. That large impersonal corporations make promises of accuracy in their attestations of the correctness of a claimed public key <math>\leftrightarrow<math> user correspondence (eg, by a certificate authority as a part of a PKI) changes little.
The PGP cryptosystem includes a variant of the TTP in the form of the web of trust. PGP users digitally sign each others' identity certificates and are instructed to do so only if they are confident the person and the public key belong together. A key signing party is one way of combining a get-together with some certificate signing. Nonetheless, doubt and caution remain sensible as some users have been careless in signing others' certificates.
Trusting humans, or their organizational creations, can be risky. For example, in financial matters, bonding companies have yet to find a way to avoid losses in the real world.
Parallels outside cryptography
Outside cryptography, the law in many places makes provision for trusted third parties upon whose claims one may rely. For instance, a notary public acts as a trusted third party for authenticating or acknowledging signatures on documents. A TTP's role in cryptography is much the same, at least in principle. A certificate authority fills just such a notary function, attesting to the identity of a key's owner.
Courts are also trusted third parties in the sense that disputes brought before them are presumed to be decided in a disinterested and dispassionate way consonant with a body of established law and (in common law countries) precedent. In fact, governments generally act (and require others to act as well) as though they were trusted third parties in many circumstances as well.