There's always a "root" of trust somewhere/somehow. Ideally it's a human that you trust. In the case of zrok, it uses a secure zero trust overlay provided by openziti. you "enabling" zrok in your shell is that root of trust. you get a x509 certificate which is then used to attach to the zero trust overlay. On the other side when you "zrok access" you provide a unique token that has been shared with you by someone you trust (presumably). So you, as the person doing the sharing are the real "root" of the trust. You're trusting that zrok isn't compromised and that the certificate that is returned to you from the overlay is trustworthy etc. I could go on - but that's hopefully enough of an overview

Thanks; that's exactly the ELI5 I was looking for.

Along those lines, I wrote a blog on how I described my job and zero trust to my daughter (who is 5) by using Harry Potter analogies - https://netfoundry.io/demystifying-the-magic-of-zero-trust-w...