Trust is a poorly defined but incredibly important concept. In the real world, trust is not easy to obtain. In the digital world it can be even harder. Trust is a risk and the digital world introduces many risks that the real world does not. Digital files can and have been hacked and stolen from previously trusted institutions by malicious entities. It is easy for malicious entities to masquerade as trusted ones. Simply clicking a link without first being certain of its legitimacy can lead to the loss or theft of information.
With so many people pretending to be someone or something else and with so many possible things that could go wrong, how can users be assured that they can really trust anything online? Digital signatures and certificates are the current systems in place to assure users of the identity of the entity they are communicating with, since due to a lack of time and the complexity of digital security it would be impossible for individuals to ascertain the identity and security of any individual entity each time they wished to communicate with it. However, identity is not the only thing that contributes to the digital trust users have in an online entity. Digital trust also depends on the behavior and performance of those entities.
Digital signatures provide very important information for digital security. Digital signatures provide a proof of origin, allowing the receiver to be certain of who sent the message, and proof of the message’s integrity, allowing them to be certain that the message was not altered after being sent. The ability to be sure of who sent the message also prevents senders from being able to claim that they were not involved in the communication later. In order for digital signatures to provide these services, they have to have certain properties. The signature must be independent of but tightly bound to the message, or else it would be difficult to tell if the message was tampered with.
The signature must also be computed in such a way that only the sender would be able to compute their signature, which allows proof of identity and prevents them from claiming that they did not send the message. Also, anyone who receives the digital signature should be able to authenticate it themselves. Digital signatures are able to provide these things through public key cryptography, at least upon the first meeting of two entities before they can communicate a private key and can transition to a symmetric cryptosystem if the transaction is suitable for that. There are several public key cryptosystems that can be used to accomplish this, including RSA, El Gamal, a cryptosystem based on the discrete logarithm problem for elliptic curves, variants of those three, and others. However, those algorithms are very math intensive, so assigning digital signatures to long messages is difficult. In order to mediate this issue, long messages are often condensed and digitally signed using hashing functions.
For digital certificates to be an effective and secure system, digital certificates must also be implemented. Digital signatures rely on public key cryptography, which means that every individual must have a public key. This leads to the problem of ensuring that it is known what public key belongs to what entity so that messages do not go to the wrong place. Digital certificates are what is used to certify the identity of an online entity and confirm that a certain public key actually belongs to a certain entity. These certificates are also digitally signed by an already trusted certifying agency such as Verisign, Baltimore Technologies, and Certiposte.
Certificates can also be certified by virtue of familiarity, where an entity that is already familiar with another can vouch for the identity of a third, thus creating a chain of trust. The most common format for these certificates is the CCITT X.509 standard. This format includes what version of X.509 was used to make the certificate, any information specific to that version, a unique serial number issued by the certifier, what algorithms were used to sign the certificate, the certifier’s name, how long the certificate is valid for, the name of the subject, the details relating to the subject’s public key, and the digital signature itself. X.509 also has the advantage of introducing certifying pathways, which allows entities that were certified through different trusted certification authorities to still be able to check each other’s certification.
Digital signatures and digital certificates are both factors that contribute to digital trust by assuring the user that they really are communication with who or what they intended to communicate with. However, trust in identity is only one aspect of digital trust. Digital trust is also affected by the behavior of digital entities and the user’s familiarity with them. Trust can only be given or taken away from things that the user is familiar with and while digital signatures and certificates can help with that by assuring them that they are communicating with someone they are familiar with, a person or company’s behavior and presence both online and offline also affect the user’s awareness and opinion of them.
For example, a user might trust that they can give their sensitive credit card information to Amazon because it is a well known company without any big scandals relating to information insecurity, but at the same time be hesitant to give that information to another, less familiar online company despite them both having valid digital signatures and certificates that are supposed to assure them of the security of the website. Behavior can also lead to people distrusting certain websites and online entities. Things like data breaches, whether they originate from malicious third parties or are entirely the fault of the organization itself, nearly always have a negative effect on the level of trust users feel for any online entity. For example, after the news of not one, but two data breaches in 2018, Facebook has lost a lot of its users’ trust and has put the company in danger of becoming much less popular and profitable than before.
