Attestation by trusted entities plays a number of key roles in computing security and information security and information access management. Typically, a party with some degree of authority or trust will state that an entity or software application can be trusted to perform certain operations on specific information assets or on certain devices. Another party or device or software component will then consider such attestation in making a decision as to whether or not to allow an attempted or requested operation.
An antivirus vendor may have scanned a particular software application and has found that application to be free of known viruses and malware. Once the vendor as the attester makes that finding, a potential user of the software can proceed to install and execute the software with an increased degree of confidence that the software will not behave maliciously. Conversely, the antivirus vendor may have found malware in the scanned software, and the software may he blocked from installation or execution.
Some web-based services such as TUCOWS® by Tucows, Inc. and Download.com by CBS Interactive Inc., as well as application merchants screen applications for viruses before approving them for download by end users. While no formal technical standard is used, the availability of software for download by one of these parties' websites implies such approval, and is intrinsically a form of attestation with regard to the downloadable application.
PC firewalls such as ZONEALARM® by Check Point Software Technologies Ltd. use a simple form of attestation in that they ask a user whether or not to allow network access by a specific application. The user response to such a query, whether positive or negative in regard to allowing such access, is then immediately applied and can be applied again later to future uses of the same application. In this sense, the end user personally “attests” to whether the network access is benevolent and that attestation may he serialized for use again later. If a change is detected in the application, such as the installation of a different version of the application, or the application is modified in some other way, attestation is then effectively retracted and the user is asked again for permission for network access. In addition to this direct attestation by the end user, the firewall vendor may also utilize its own expertise in identifying and automatically permitting specific recognized applications to have network access.
Online third party service such as SITELOCK™ by SiteLock Inc., or TRUSTE® by TRUSTe, Inc. may attest to the security and absence of malware or objectionable content on a particular website, with such attestation presented visibly to an end user viewing that website through a logo or graphic seal, and other means of presentation, such a presentation having an origin traceable to the attestation source.
Online commerce and auction sites such as AMAZON and eBay allow prior purchasers to rank or otherwise review both products and vendors, thereby attesting to the quality of the goods and services purchased, and/or the characteristics of the vendor.
Frequently, digital certificates are used to securely sign digital files, such as executable code, as well as digital documents and media content such as images and videos, to establish ownership and authenticity of the files, and to facilitate detection of tampering of tile content. In such a case, typically a given certificate owned by a content owner is traceable back to a root authority that has been granted the rights to generate and assign such certificates, typically for a fee. In this manner, the root authority attests to the genuineness of the certificate and its ownership, and the file owner attests to file ownership through having signed the file. The signing also is evidence of the integrity of the file, indicating that the file has not been tampered with since the file was signed.
In U.S. Pat. No. 8,176,336, attestation is further utilized in regard to establishing and providing assurance of the trust level and integrity of a computing platform, wherein a verifiable trust level is achieved and attested to, of a computing base platform, with the conclusion of trustworthiness being based upon monitoring privileged memory area access attempts plus operations and instructions over a hardware bus during the computing platform boot sequence. U.S. Pat. No. 8,037,318 presents use of attestation in specifying and resolving trust relationships and dependencies between computing system components. An earlier U.S. Pat. No. 7,797,544, presents the use of a certificate chain and digital signatures within the use of attestation for establishing trust between separate computer entities.
In each of the aforementioned examples, attestation provides a means of reusing and propagating the previously accomplished diligence of an attesting entity or “attester”, and of making reproducible use of that entity's expertise and the trust vested in that entity.