The ICE-TEL project is a pan-European project which is building an Internet X.509-based certification infrastructure throughout Europe plus several secure applications that will use it. This article describes the trust model being implemented by the project. A trust model specifies the means by which a user may build trust in the assertion that a remote user is really who he purports to be (authentication) and that he does in fact, have a right to access the service or information he is requesting (authorization). The ICE-TEL trust model is based on a merging of and extensions to the existing pretty good privacy (PGP) web of trust and privacy-enhanced mail (PEM) hierarchy of trust models, and is called a web of hierarchies trust model. The web of hierarchies model has significant advantages over both previous models, and these are highlighted. The article further describes the way the trust model is enforced through some of the new extensions in the X.509 V3 certificates, and gives examples of its use in different scenarios.

Public key certification provides mechanisms that can be used to build truly scaleable security services, such as allowing people who have never met to have assurance of each other's identity. Authentication involves syntactic verification of a certificate chain followed by a semantic look at the policies under which the certificates were issued. This results in a level of assurance that the identity of the person to be authenticated is an accurate description of the person involved, and requires verifiers to specify who they trust and what they trust them to do. Two widely discussed mechanisms for specifying this trust, the PEM and PGP trust models, approach the problem from fundamentally different directions. The EC funded ICE-TEL project, which is deploying a security infrastructure and application set for the European research community, has described a new trust model that attempts to be equally applicable to organisation-centric PEM users and user-centric PGP users.

This thesis presents an Extended Certificate ManagementSystem (ECMS), a possible solution for a global certificationinfrastructure. The system is based on a combined trust modelthat interconnects different types of security domains, fromindividual users, small organisations to arbitrarily complexorganisations. All entities within one security domainestablish their trust in a single trust point. The securitydomains are interconnected through cross certificationrelationships between their trust points.The thesis identifies a number of ECMS entities anddescribes in detail each of their roles. It also specifiesdifferent functions that each of the system entities mayperform during their lifetime. Each of these functions isperformed through an exchange of a number of special ECMSmessages, as specified by ECMS protocols. The protocols betweensystem entities, and the messages exchanged as part of theprotocols are specified at the level of formal definition.ECMS provides users of the system with certificationservices, which can be accessed through ECMS Clients. Thestructure and functionsof the ECMS Client, as well asapplication programming interfaces, through which differentsecurity applications can access the services of ECMS, are alsodefined in this thesis.