Traditionally, network connections were formed between a client computing device and a server computing device, where the server would act as a central repository of data. Thus, a client would select a specific server that would fulfill the client's needs, and would attempt to connect to that server. In attempting to connect to the server, the client would offer a form of identification and, if appropriate, a password or similar security information which would allow the client access to secured information. The server would compare the client's identification and, if necessary, security information to a database of clients to which the server had agreed to grant access. If the client's identification and security information matched an entry in the database, the server granted the client access.
The above system, however, assumes that the client has some mechanism by which it can verify the identity of the server. For example, many clients connected to a particular server through a modem connection by dialing a phone number assigned by the phone company to that server. In such a case, the client could be assured that the proper server was receiving the client's authentication information because the phone number was guaranteed by the phone company to connect only to the assigned destination. However, as the prominence of the Internet and the World Wide Web grew, more and more connections between clients and severs were formed via dedicated networking connections that passed through intermediate computing devices known as routers. Such routers would direct client communication to particular servers based on routing tables or similar information correlating human-readable server names to Internet addresses that were often variable. If one or more routing tables was compromised, a client's communications could be directed to an improper server. Often such improper servers presented themselves as the proper server in an effort to obtain the client's authentication information. Consequently, the need arose for a mechanism by which a server could prove to a client that the server was indeed what it represented itself to be.
A Certificate Authority (CA) can act as an independent verification that the server with which the client is communicating is indeed what it represents itself to be. Specifically, the server can offer to the client a protected identifier, such as a signed certificate, that the client can verify with the third party CA that the client trusts. In one common mechanism employed today, the client can verify the protected identifier because the client has received, in a trustworthy manner, the CA's public key, which the client can use to decode the protected identifier. Using such a mechanism, the protected identifier that the server offers to the client can be that server's certificate signed by the CA's private key. Since only the CA would have access to the CA's private key, and only the CA's public key can decode such as a signed certificate, if the signed certificate is decoded properly by the client using the CA's public key, the client determine that the CA has signed the certificate and verified the information contained therein. Once the client is satisfied that the server is what it purports to be, the client can proceed to identify itself to the server as indicated above.
In peer-to-peer networks however, there is no central server to which clients can connect. Instead, client computing devices communicate with one another, forming a network out of a series of client-to-client connections. While a client-to-client connection can be secured in the manner described above, it is impractical for each individual client device to register itself with an independent third party CA. Therefore, what is needed is a mechanism by which one client can authenticate itself to another client without requiring the cost and complexity of registering with a third party CA. Similarly, once the client is authenticated, there exists the need for authorization mechanisms which can enable one client to access the data and resources of another client.