[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Trust and Transitivity

At 4:53 PM -0700 5/22/97, Tony Bartoletti wrote:
>Ed Gerck wrote "However, trust is not transitive."
>I believe that, functionally speaking, trust IS transitive, in as much as we
>speak to the limited domains of trust represented by signed (auth tag) certs.
>When I sign your key with the tag X, I am saying that I trust you to be
>(honest, knowledgeable, use-good-judgement) in matters of X.  I may not
>trust Khaddafi in such matters, or think that I do not, but if YOU do and
>you are basing your actions on his behalf, than I am implicitly trusting
>Khaddafi.  Had I known that you get your direction from Khaddafi, I might
>not have placed trust in you in the first place, but that is a another issue.

Note that this is just another manifestation of the fact that you can't
prevent delegation.  If I try to prevent you from delegating to Khaddafi,
then you can just set yourself up as a proxy for Khaddafi's requests,
bypassing the delegation restriction.  If I trust you then I implicitly
have to trust the programs you trust.  If I want to keep you from
delegating to Khaddafi, then I have to prevent you from communicating to

At 6:35 PM -0700 5/22/97, E. Gerck wrote:
>No. Your example actually proved my assertion.
>To make it more clear, let me use a quantitative example.
>1. Skywalker signs Alice's key with tag X, so Skywalker trusts Alice in
>matters of X,
>2. Skywalker meets Bob and Bob decides that he trusts Skywalker in matters
>of X.
>The question is: "Can you say that Bob trusts Alice in matters of X, based
>on the two assertions before?"
>The answer is "No". Let's see why.

The answer is that once Bob decided to trust Skywalker, there was nothing
he could do to prevent Skywalker from using that trust on behalf of Alice.
Since we are talking about programs here, and not people, if and only if
Bob can trust the system running Skywalker to keep Skywalker from
communicating with Alice, then Bob does not need to trust Alice.

>In other words, this is NOT a transitive behavior because you CANNOT
>guarantee that if Skywalker trusts Alice with degree "a" and if
>Bob trusts Skywalker with degree "b" then Bob trusts Alice
>with degree "c" such that c = a * b.

I am only speaking about the case where a==b.  I don't think we have a
general solution for composing trust statements, although we allow ad hoc
composition in the algorithms of the verifier.

Bill Frantz       | The Internet was designed  | Periwinkle -- Consulting
(408)356-8506     | to protect the free world  | 16345 Englewood Ave.
frantz@netcom.com | from hostile governments.  | Los Gatos, CA 95032, USA

Follow-Ups: References: