Somewhat simplified, an assertion can be defined as a statement or a claim from someone about something or someone, for example “Bob says Alice is skilled”.

Assertions are used often in computer protocols. Various attempts have been made to codify assertions: among the most common attempts are X.509 certificates and SAML assertions.

Both X.509 and SAML satisfy needs within their communities quite well. However, there are a few hurdles that make them less likely to spread out beyond their current confines: trusted third parties, cryptography, and inherent inflexibility in a system with such pre-generated statements.

A recipient verifies these assertion by verifying a digital signature over its content (that’s how Carol knows that it really is Bob’s assertion about Alice, and not Alice pretending to be Bob). Both X.509 and SAML uses public key crypto, but it’s possible to devise systems used on secret keys as well.

Cryptography is normally difficult to get right, and given a choice most people would rather not deal with it. For most assertions, the asserter and the recipient need to agree on a trusted third party.

In real life, when Bob tells you something, you may not be ready to accept it just yet. Perhaps you need Dave and Eric to state the same fact before you accept it. Or perhaps if Alice said it, you’d be fine with it and wouldn’t need to hear from someone else.

That’s how we do it in real life: we trust people to various degrees. Crypto-less assertions strive to get rid of the issues with current crypto-based assertions. The crypto-less assertions map onto a real life in providing a means for relative trust.

In my next post, I’ll get into the technical details how these types of assertions work. Stay tuned.

Update: February 12, posted follow-up in Crypto-less assertions defined.