Trust Anchor


Trust Anchor is defined in RFC 6024 as "Trust Anchor represents an Authoritative Entity via a Public Key and associated data".

Trust Anchor may be referred to as Sources of Authority (SoAs), Root Certificate, Certificate Authority.

The Public Key is used to verify Digital Signatures, and the associated data is used to constrain the types of information for which the Trust Anchor is authoritative.

A Relying Party uses Trust Anchors to determine if a digitally signed object is valid by verifying a Digital Signature using the Trust Anchor's Public Key, and by enforcing the constraints expressed in the associated data for the Trust Anchor.

In Cryptography and computer security, a Trust Anchor is either an unsigned public Key certificate or a Self-signed Certificate that identifies the Certificate Authority (CA).

Trust Anchor is part of a Public Key Infrastructure scheme.

The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a Digital Signature from a Certificate Authority (CA).

Trust Anchor is commonly called a Root Certificate.

Trust Anchors are kept within a Trust Anchor Store (or Keystore)

Trust Anchor when referring to Hardware and Operating Systems often use the term Roots of Trust (RoT)

Only Local Significance#

Trust Anchors have only local significance, i.e., each Relying Party is configured with a set of Trust Anchors, either by the Relying Party or by an entity that manages Trust Anchors in the context in which the Relying Party operates.

The associated data defines the scope of a Trust Anchor by imposing constraints on the signatures that the Trust Anchor may be used to verify.

Because one Relying Party says a Subject Certificate is a Trusted Certificate does not imply that the Subject Certificate is a Trusted Certificate to any other Relying Party

More Information#

There might be more information for this subject on one of the following: