[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: on the nature of trust

On Thu, 12 Feb 1998, Carl Ellison wrote:

-> >From: Ed Gerck <egerck@laser.cps.softex.br>
-> >To: MCG <mcg-talk@novaware.cps.softex.br>
-> >Subject: Towards a real-world model of trust
-> >Today's protocols such as X.509, PGP and others, take a leap of ignorance
-> >on what trust is and start by defining means to convey it. Such attitude
-> >is not even empirical, it is indeed arbitrary. To justify this leap of
-> >ignorance, standards such as X.509 have statements to the effect that "...
-> >such will be defined in the CPS, which is not a part of this document." --
-> >as if assumptions could be defined after the theorems that use them.
-> Ed,
-> 	that was a beautifully written paragraph!


Thank you. 

-> >Thus, loosely speaking, information is what you do not know and trust is
-> >what you know. 
-> This is an interesting approach.  Of course, by this definition what we're 
-> dealing with in SPKI is what we know -- confirmed knowledge -- rather than
-> trust.  PGP comes closest to using trust by this definition.  Right?

I think that I could generalize (for the sake of understanding) and say
that *all* certification procedures exist in order to transfer information
according to some security model. Agreed? 

Now, we have to be precise and use IT terminology, ie, Shannon's, from now
on. Knowledge is never transfered -- because it already exists on both
sides. So, SPKI also transfers information. 

However, my quoted sentence above is *not* precise (as it says, it was
expressed in loose terms, more to convey a working idea of the concept). 
The precise definition of trust that I have been using with coeherent
result is the one that you quote below and is the "official"  definition,
so to say. 

The main reason why the quote above is imprecise is that trust is also
information but information of a special kind. Further, trust is not
"knowledge" in the sense that everyone knows it, but in the sense that
*you* know it.

(PGP is very similar to X.509 as explained in the new version of the
Overview paper at http://www.mcg.org.br/cert.htm . I would just remark
that IMO *all* certification procedures need to also transfer trust,
however minimal) 

-> >trust: "trust is that which is essential to a communication channel but
-> >which cannot be transferred from a source to a destination using that
-> >channel" ,
-> Again -- an interesting concept.

I'll try to provide more "food for thought" -- also to exercise the
concept and show its usefulness and hopefully allow weaknesses to be
found. Of course, any scientific concept must withstand the acid test of
experimentation, in order to see how well it represents reality and to
what extent.

The definition that of trust that I focus on is:

 Trust: "Trust is that which is essential to a communication channel but
         which cannot be transferred from a source to a destination using
         that channel"  

and I will capitalize Trust whenever I refer to Trust in that context from
now on -- to provide for the correct scope (I'll do the same for
Information, using Shannon's def for it when capitalized). Let me make
some comments/derivations based on Trust def/math. 

First, let's see an example involving Trust and knowledge in order to
motivate the result that absolute knowledge cannot transfer Trust -- which
is a good thing! Here, as exemplified in IT, if a message does not
transfer Information then it just means that it has no surprises to you --
it does not mean it's wrong or it's useless. So, a message which cannot
transfer Trust means that it cannot be subject to semantic noise when
transmitted -- which immunity is excellent. Though useless if you want it
to support your claims! 

The example is as follows. If the only thing you Trust is crypto math then
you Trust it because of an out-of-band communication (such as
mathematically deriving the algorithm, which provided for your self-Trust
on the math -- "Trust only exists as self-Trust" applies here) which is
independent from its use (such as actually applying the algorithm). This
is also the only Trust you could transfer because it is the only one you
have. However, that is hardly possible because such Trust is not
information (no surprises, old stuff)  to anyone, so in fact, such Trust
already exists as knowledge.  This means that you cannot transfer Trust if
the only Trust you have is in crypto math. Generalizing, you cannot   
transfer Trust if that Trust is knowledge -- or, knowledge cannot transfer

Simply speaking (again, this is NOT the def), Trust is semantic
Information. There is no semantic Information in knowledge because the
semantics is already known. 

This also means that the least the amount of Trust you need to transfer,
the more the other party can rely on your information.        

NOISE: When Trust is defined as that essential part which CANNOT be
transferred using the same channel, this applies even if the channel is
noiseless, distortionless -- perfect. So, what taints trust with
information is NOT the syntatic noise but what I call the "semantic
noise". Now, modelling the semantic noise is quite another subject, better
left for another msg, but suffices it to say that semantic noise can be
discontinuous and provide for an abrupt change -- which the syntatic noise
can never do unless it is either quantum noise or involves infinite power
and bandwidth. 

KNOWLEDGE: there is absolute knowledge. For example, pi is 3.141592...,
hidrogen emits the same lines of radiofrequency here and in Andromeda,
three is prime, etc. 

ISOLATION: Information CANNOT become Trust. If we take the definition of
Trust, we see that Trust is NOT information regarding the *original*
channel because it CANNOT be transferred in the same *original* channel.
However, Trust is Information as it regards other channels. 

ANOTHER EXAMPLE: (Q & A, note the uncap'd "t" in trust) This highlights
the differences in syntatic content. semantic content, using Trust,
establishing initial Trust, etc.

Question: Prospective employers will need to rely on a candidate's
self-published credentials. How can an initial level of trust be
established, in order for the credentials to be considered any further? 
Could this trust be based only on the relying party's assumptions of
truth, since the risk factor is limited to only the investment of
timerequired to further investigate the candidate's suitability?

Answer: Trust can only be established by an out-of-band communication,
which needs by necessity an outside source since the subject is the
recipient.  An assumption is not communication with an outside source,
being merely a thought process within the subject's mind. So, either the
prospective employer decides to review the candidate's application because
of its syntatic content alone (such as: he needs an employee with the
candidate's qualifications and what the candidate wrote as his area of
expertise is acceptable)  or because of Trust that he receives out-of-band
(such as:  someone else he Trusts told him in the past that the candidate
was a loyal employee). 

-> >To answer this question, we must now look at the mathematical properties
-> >of trust. This is also similar to Shannon's approach -- when the
-> >logarithmic function was found very useful to represent information
-> >content and allowed new insights. As in [5], trust has the following
-> >main mathematical properties: 
-> >
-> > - not transitive
-> > - not distributive
-> > - not symmetric
-> >
-> >where the reader can see the first two properties exemplified on-line in
-> >[5].  The last property is straightforward: the fact that a lion trusts
-> >a lamb does not mean that the lamb trusts the lion. 
-> I think this too is an interesting discussion, but by this point I believe 
-> you should have introduced my favorite point.

;-) one cannot be perfect...

-> I knew a woman once whose husband drove their one car to work, so I 
-> used to give her rides home from work and to other activities.  I asked her 
-> husband once if he minded that I was driving his wife around.  He said, "No, 
-> I trust her."  Well, I trusted her too, because we developed a friendship 
-> and she told me what was on her mind.  I learned from her about the several 
-> affairs she was having in the office and outside.  We both trusted her but
-> it's clear we believed different things when we each said "I trust her".
-> To me, this demonstrates the killer flaw in the way we use the word trust.  
-> US currency says "In God we trust".  That's about the only valid use of the 
-> naked word "trust" I will admit to.  Otherwise, we need to declare what we 
-> believe about a person -- or what attribute that keyholder has, in our 
-> context -- not something as nebulous as "trust".

Exactly, I trust A on matters of X (sounds familiar?). I would add that
"Trust only exists as self-Trust", which brings about the notion how can
Trust be communicated, increase, decrease, etc. Some references to that
can be found at http://www.mcg.org.br/emails.htm and in the threads of
that discussion (the e-mail repository can be reached from this page) and 
by doing a search on the word trust at http://www.mcg.org.br/search.htm 

-> >Neither can trust be thought of as a type of authorization loop, where
-> >trust flows from the source to the destination and back to the source,
-> >similar to a battery and electric current. [6]
-> No, I don't believe trust can, the way you've defined trust.  However, 
-> authorization can -- and does.  I'll do another pass over the draft
-> and make sure I don't use the word trust in appropriately.

I'll wait for that until I take my pass at it (anyway, this msg is already
huge). However, that also depends how one defines what is authorization.

I enjoyed your questions and I hope to have provided enough examples and
extensions in order to improve the initial exposition on the
conceptualization of Trust. 


Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
    --- Meta-Certificate Group member, http://www.mcg.org.br ---

Follow-Ups: References: