This work has provided a number of insights.
Firstly, the use of hash trees rather than certificate chains is appropriate for trust relationships that change slowly (X is an employee of company A) or not at all (book Y was published by company B). Public key certificates are less suited for such relationships, at least in their most common forms: the typical three year lifetime of a key in an X.509 certificate system is too short for such applications; while a private signing key with a 100-year lifetime would be hard to protect (indeed, even three years may be too long a period to protect a really valuable private key). Catalogue based trust is one way of escaping this difficult trade-off between the need for a long-lived public key and a short-lived private one.
Secondly, trust mechanisms built using hash trees are simple to implement, intuitive to use, cost little in performance terms, and need contain no export-controlled mechanisms such as asymmetric cryptography.
Thirdly, catalogue based trust has a very natural fit with the publishing industry's business model in a number of ways ranging from the need to be careful about libel to the fact that catalogues are used anyway. Publishing is no longer a matter of the manufacture and distribution of books and newspapers; much of electronic commerce is publishing in some sense or another, and even where the net is used to sell widgets its main function is the publication of price lists, product data, delivery schedules and other information that is most easily organised in the form of one or more catalogues.
Fourthly, catalogue based trust mechanisms can be used to compensate for the shortcomings of X.509-type systems, such as the failure to support multiple certification discussed above.
Fifthly, catalogue based trust is robust. Cross-links can be inserted easily, in that a given book might appear in its publisher's sales catalogue and also in its editor's CV. Thus the security failure of one or another of these documents will leave the reliability of the book in unchanged. Such resilience is harder to achieve using X.509.
These advantages have become apparent to us in the course of the Wax project. We have sketched how very simple extensions to HTML can make them available to the net generally. We invite the authors, owners and proponents of other protection mechanisms to come together and agree a syntax for dealing with such protection tags in a standard way. The goal is no less than `trusted browsing' - and, as this work makes clear, the admirable work already done in this direction by protocols such as SSL and SET is only the first step. There are many more protection goals than the secure transfer of credit card numbers from customer to merchant, and we believe that ERLs will make a significant contribution.
We have also developed a mechanism based on one-time signatures to assure the authenticity and integrity of electronic books. Although our particular application was medical, and was driven initially by a requirement to avoid RSA Data Security's patent, many of the lessons learned are much more general. We believe that the mechanisms described here are suitable for any application in which we need to assure the authenticity of relatively stable digital objects over long time periods, such as cataloguing, notarisation and archiving; they are certainly much more suitable than current incarnations of X.509 with all their expiry date and other problems.
There were other, less tangible, benefits. Moving from an X.509 implementation to this one-time scheme was like a breath of fresh air. Almost all the complexity vanished - from ASN.1 and DER, through modular arithmetic, to all the tricks used to protect local signing keys from casual attack. It was found that signatures based on one-way functions could be explained simply to the medical personnel involved in the project, as well as to programmers with no background (or interest) in cryptography. This made progress several times faster than had been the case when the RSA version was implemented in late 1996. The consequences for user trust in the system should not be underestimated; neither should the reduced likelihood that a design or programming bug will be discovered and exploited in attacks.
There will be applications in which a mixture of the number-theoretic and hash-function-based approaches will remain attractive. A book on investment, for example, might have its trust based on the techniques described here, but contain embedded public keys based on number theory in order to authenticate online pages of current stock prices. The advantage of such a structure is that these public keys now become independent of X.509 or any other public certification hierarchy, which is highly desirable given the lack of robustness of such mechanisms and the political struggles to control them. Such flexible links from a catalogue-based trust structure to more volatile items could, we believe, accommodate most of the world of journal and magazine publishing within the overall structure described here.
One current thrust of our research lies in extending the Wax mechanisms from proprietary to open publishing systems; ERLs will lay the foundation for this. Other directions of research include the control of updates to cached documents; allowing a user to store the hash with bookmarks and to be informed of changes - either when subsequently loading the document or at update; and interactions with the considerable range of other protection primitives in the security literature (anonymous messaging, digital cash, micropayments, incremental integrity primitives, copyright marking mechanisms and so on).