A trust model is a collection of rules that informs the application how to decide the legitimacy of a digital certificate. There are two types of trust models widely used.

– 1. HIERARCHICAL
– 2. TRUSTED WEB

1. HIERARCHICAL

Hierarchical, also called the CA model, is the basis of most certification systems. It is also considered as the traditional model in use by the giant certification authority. In this model, certificate users surrender their element of trust to the CA instead of proving the authenticity of the digital certificate themselves. Once you are sure that the CA you are dealing with is indirectly trustworthy, you agree to trust any other certificates that the CA vouches for.

In the hierarchical trust model, CA is at the top level and trust flows from the top down to the end user. This feature of the hierarchical trust model does not place a burden on the end user to prove their authenticity. One important thing to keep in mind that the CA you trust is cross-certifying another CA’s PKI. Therefore, your system will also automatically accept certificates from that CA. In practical situations, it is advisable to be aware of CA practices, as it will prevent you from accepting certificates from strangers.

2. TRUSTED WEB

In web-of-trust there is no centralized organization that makes the decisions. Users themselves decide who to trust based on their personal experiences and knowledge or on the suggestions and opinions of other people they trust. Web-of-trust is well known for its implementation in PGP.

If someone you already know gives you their public key, it’s safe to tell your application that the key is trusted. This is accomplished by signing the key. When another user receives her public key, he determines the keys that she has signed. Now, if they decide to trust you and sign your key, they in turn meet with you and other entities you trust. This is how WEB-OF TRUST expands.

The entire process is handled by PGP servers that contain a database of keys and signatures that have been added regularly. Web-of-trust works very well for small organizations. The only downside to the web-based model of trust is that when a user signs the wrong keys, the entire group is affected.