Authenticity

http://www.clir.org/pubs/reports/pub92/lynch.html
Authenticity

Validating authenticity entails verifying claims that are associated with an object—in effect, verifying that an object is indeed what it claims to be, or what it is claimed to be (by external metadata). For example, an object may claim to be created on a given date, to be authored by a specific person, or to be the object that corresponds with a name or identifier assigned by some organization. Some claims may be more mechanistic and indirect than others. For example, a claim that "This object was deposited in a given repository by an entity holding this public/private key pair at this time" might be used as evidence to support authorship or precedence in discovery. Typically, claims are linked to an object in such a way that they include, at least implicitly, a verification of integrity of the object about which claims are made. Rather than simply speaking of the (implied) object accompanying the claim (under the assumption that the correct object will be kept with the claims, and that the object management environment will ensure the integrity of the object) one may include a message digest (and any necessary information about canonicalization algorithms to be applied prior to computing the digest) as part of the metadata assertion that embodies the claim.

It is important to note that tests of authenticity deal only with specific claims (for example, "did X author this document?") and not with open-ended inquiry ("Who wrote it?"). Validating the authenticity of an object is more limited than is an open-ended inquiry into its nature and provenance.

There are two basic strategies for testing a claim. The first is to believe the claim because we can verify its integrity and authenticate its source, and because we choose to trust the source. In other words, we validate the claim that "A is the author of the object with digest X" by first verifying the integrity of the object relative to the claim (that it has digest X), and then by checking that the claim is authenticated (i.e., digitally signed) by a trusted entity (T). The heart of the problem is ensuring that we are certain who T really is, and that T really makes or warrants the claim. The second strategy is what we might call "independent verification" of the claim. For example, if there is a national author registry that we trust, we might verify that the data in the author registry are consistent with the claim of authorship. In both cases, however, validating a claim that is associated with an object ultimately means nothing more or less than making the decision to trust some entity that makes or warrants the claim.

Several final points about authenticity merit attention. First, trust in the maker or warrantor of a claim is not necessarily binary; in the real world, we deal with levels of confidence or degrees of trust. Second, many claims may accompany an object; in evaluating different claims, we may assign them differing degrees of confidence or trust. Thus, it does not necessarily make sense to speak about checking the authenticity of an object as if it were a simple true-or-false test—a computation that produces a one or a zero. It may be more constructive to think about checking authenticity as a process of examining and assigning confidence to a collection of claims. Finally, claims may be interdependent. For example, an object may be accompanied by claims that "This is the object with identifier N," and "The object with identifier N was authored by A" (the second claim, of course, is independent of the document itself, in some sense). Perhaps more interesting, in an archival context, would be claims that "This object was derived from the object with message digest M by a specific reformatting process" and "The object with message digest M was authored by A." (See Lynch 1999 for a more detailed discussion of this case.)