[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The role of trust in certification

On Thu, 12 Feb 1998, Tony Bartoletti wrote:

-> This debate regarding "I use because I trust" vs "I trust because I used" is
-> interesting, but any hopes of resolution can only occur in a theoretical
-> arena.
-> In the realm of certification and PKI, this discussion can only be of value
-> if concrete examples are offered.  Then we all have something a bit more
-> definitive to shoot at;)
-> Hoping for some good targets;)

Tony and all:


First, IMO we have to enjoy the trip through the looking glass a bit more,
so that we can exercise one view against its mirror-image and see "whether
certificates are trustful because they certify, or certify because they
are trustful.". 

This is not a play in words. Maybe it helps first to see certs as tools,
whereas they have been seen as IDs for too long. Tools have purposes.
Tools are verbs, whereas ID are nouns. Tools are methods, whereas IDs are

Requoting part of a quote ;-), let's set the stage:


 I believe that one of the big reasons why the Computer Crypto
 Community has long been going down the wrong (certify because they are
 trustful) path is because the early players were dominated by Military
 Intelligence players, and CIA/KGB minded folk.

 And, I believe it is true their world the they need to use "certify
 because they are trustful" logic.  In that world, a spy contracts to
 work for a spymaster who gives him codes and instructs him to trust
 the people the spymaster tells him to trust.  That is not the "otehr
 world" of business where trust is earned, not merely assigned.


So, in the hierarchical trust regime, trust is objective, absolute and
top-down. The liability is 100% in the issuer's hands and the relying
party relies 100% on the issuer's declaration which were given to him in a
secure environment, with an unsecure protocol an trusted couriers.

But, in the archetypical trust regime, trust is subjective, relative, and
grass-roots. The liability is shared between issuer and the relying party,
where the relying party also partly relies on the issuer's declarations,
which where given to him in an unsecure environment, with a secure
protocol and untrusted couriers.

You have the full spectrum, of course, but these are the end-points. 
Surely, the planetary Internet cannot fit under the hierarchical trust
model. A parochial Internet can fit under the hierarchical trust model if
all parties share an ab initio trust background (like, we are all Boeing

However, the hierarchical trust model has all eggs in one basket and when
disaster strikes -- it is big. For an example involving parochial players
(ie. hierachical trust model) in their own turf which found out that their
turf was not so parochial (ie, did not have the supposed ab initio trust
background), see the case of GM against VW where VW has fined US$ 1.1
billion dollars for industrial espionage, last year. 

To further exemplify some concepts here, let us use a scenario with two
strangers (let us say Skywalker and Alice) that want to have a transaction
or information exchange, for example with an exchange of values. 

Suppose Skywalker would acquire somewhere a list of TTPs so that Skywalker
would input it to his server and then be ready for e-commerce transactions
with Alice -- and Alice would do the same for her browser.

Of course, these lists would be utterly useless regarding Skywalker's
trust on these TTPs, as well as Alice's -- because trust is not something
you accept at face value by someone else's classification of it, even if
this someone else is some government because we are talking about the
Internet and surely jurisdiction questions would appear, not to talk about
civil rights questions, competition, etc. Neither can you accept it
regarding something, but you must evaluate it yourself for the purpose you
have in mind.

So, you trust **after** you evaluate, and for the evaluation's purposes.     

To finalize, we must acknowlege that spies <> commerce (see the e-mail
quote above).  

Surely, neither the planetary Net nor any CA/TTP/issuer can follow a model
where the issuer is 100% liable, the user is 0% liable and just uses
whatever cert is mandated to be used without questioning if it's from GM,
VW, the UK, the IRA, France, US, Saddam, Republican, Democrat, etc.

Hope I provided enough targets '-)



Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
    --- Meta-Certificate Group member, http://www.mcg.org.br ---

Follow-Ups: References: