[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Trust and Transitivity

On Fri, 23 May 1997, Bill Frantz wrote:

-> At 4:53 PM -0700 5/22/97, Tony Bartoletti wrote:
-> >Ed Gerck wrote "However, trust is not transitive."
-> >
-> >I believe that, functionally speaking, trust IS transitive, in as much as we
-> >speak to the limited domains of trust represented by signed (auth tag) certs.
-> >
-> >When I sign your key with the tag X, I am saying that I trust you to be
-> >(honest, knowledgeable, use-good-judgement) in matters of X.  I may not
-> >trust Khaddafi in such matters, or think that I do not, but if YOU do and
-> >you are basing your actions on his behalf, than I am implicitly trusting
-> >Khaddafi.  Had I known that you get your direction from Khaddafi, I might
-> >not have placed trust in you in the first place, but that is a another issue.
-> Note that this is just another manifestation of the fact that you can't
-> prevent delegation.  If I try to prevent you from delegating to Khaddafi,
-> then you can just set yourself up as a proxy for Khaddafi's requests,
-> bypassing the delegation restriction.  If I trust you then I implicitly
-> have to trust the programs you trust.  If I want to keep you from
-> delegating to Khaddafi, then I have to prevent you from communicating to
-> Khaddafi.

I think there are 2 entirely different subjects here (besides your

1. (the original one) If [I sign your key with tag X] and [you sign
Khaddafi's key with tag X] then [I trust Khaddafi on matters of X] then [I
sign Khadaffi's key on matters of X]. That would be transitive trust, and
it would mean that I am not only willingly trusting Khadaffi but also
signing his key (if I trust him on matters of X, why not?).

That is what I said is wrong. Trust is not transitive.

2. (Tony's assertion) If [I sign your key with tag X] and [I do not trust
Khadaffi on matters of X] and [you trust Khaddafi on matters of X] then [I
am implicitily trusting Khadaffi on matters of X]. That would be implict
trust because you are unwillingly trusting Khaddafi.. That is correct. 
However, you would not be legally responsible for that and certainly you
would NOT sign Khadaffi's key.

That's why I commented that Tony's example actually proved my assertion
that (1) is wrong, because Tony would NOT sign Khadaffi's key even though
he (correctly) pointed out that he could be even implicitily trusting
Khadaffi. So, trust is NOT transitive, even in the presence of an implicit

Tony's example is thus even STRONGER than my initial statement that trust
is not transitive ;-)


Ed Gerck

Dr.rer.nat. E. Gerck                        egerck@laser.cps.softex.br
P.O.Box 1201, CEP13001-970, Campinas-SP, Brazil  - Fax: +55-19-2429533