“Trust Anchors” msj: several individual TAs need explicit revoke to protect against single key compromise “traditional” semantics for trust (any one key is fine) johani: one “aggregated” TA (an aggregate of several keys) no need for explicit revoke more complex semantics for “when to trust” (an update) - “M of N” |