Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

A  |  B  |  C  |  D  |  E  |  F  |  G  |  H  |  I  |  J  |  K  |  L  |  M  |  N  |  O  |  P  |  Q  |  R  |  S  |  T  |  U  |  V  |  W  |  X  |  Y  |  Z

trust anchor

Abbreviation(s) and Synonym(s):

None

Definition(s):

  A public or symmetric key that is trusted because it is directly built into hardware or software, or securely provisioned via out-of-band means, rather than because it is vouched for by another trusted entity (e.g. in a public key certificate).
Source(s):
NIST SP 800-63-2 under Trust Anchor [Superseded]

  A CA with one or more trusted certificates containing public keys that exist at the base of a tree of trust or as the strongest link in a chain of trust and upon which a Public Key Infrastructure is constructed. “Trust anchor” also refers to the certificate of this CA.
Source(s):
NIST SP 800-152 under Trust anchor

  1. An authoritative entity for which trust is assumed. In a PKI, a trust anchor is a certification authority, which is represented by a certificate that is used to verify the signature on a certificate issued by that trust-anchor. The security of the validation process depends upon the authenticity and integrity of the trust anchor's certificate. Trust anchor certificates are often distributed as self-signed certificates.
Source(s):
NIST SP 800-57 Part 1 Rev. 4 under Trust anchor

  2. The self-signed public key certificate of a trusted CA.
Source(s):
NIST SP 800-57 Part 1 Rev. 4 under Trust anchor

  An established point of trust (usually based on the authority of some person, office, or organization) from which an entity begins the validation of an authorized process or authorized (signed) package. A "trust anchor" is sometimes defined as just a public key used for different purposes (e.g., validating a certification authority (CA), validating a signed software package or key, validating the process (or person) loading the signed software or key).
Source(s):
CNSSI 4009-2015

  A public key and the name of a certification authority that is used to validate the first certificate in a sequence of certificates. The trust anchor’s public key is used to verify the signature on a certificate issued by a trust-anchor certification authority. The security of the validation process depends upon the authenticity and integrity of the trust anchor. Trust anchors are often distributed as self-signed certificates.
Source(s):
NIST SP 800-57 Part 1 Rev. 3 under Trust anchor [Superseded]

  A configured DNSKEY RR or DS RR hash of a DNSKEY RR. A validating DNSSEC-aware resolver uses this public key or hash as a starting point for building the authentication chain to a signed DNS response. In general, a validating resolver will need to obtain the initial values of its trust anchors via some secure or trusted means outside the DNS protocol. The presence of a trust anchor also implies that the resolver should expect the zone to which the trust anchor points to be signed. This is sometimes referred to as a “secure entry point.”
Source(s):
NIST SP 800-81-2 under Trust Anchor

  A public or symmetric key that is trusted because it is directly built into hardware or software, or securely provisioned via out-of-band means, rather than because it is vouched for by another trusted entity (e.g. in a public key certificate). A trust anchor may have name or policy constraints limiting its scope.
Source(s):
NIST SP 800-63-3 under Trust Anchor

  The key for a certificate authority who issues certificates or authorizes others to do so on its behalf
Source(s):
NISTIR 7682 under Trust anchor