[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: on the nature of trust

I'm trying to cut in only the relevant parts here, I hope I don't cite
anything too much out of context.

Ed Gerck wrote:
> I think that I could generalize (for the sake of understanding) and 
> say that *all* certification procedures exist in order to transfer 
> information according to some security model. Agreed?

And to transfer information, we need to establish trust.  This trust must
be in a form that is independent of the channel used, and cannot contain
semantic information in regards to that particular channel. Else we would
not be transferring trust according to your definition below.

>  Trust: "Trust is that which is essential to a communication channel 
>          but which cannot be transferred from a source to a 
>          destination using that channel"

> This also means that the least the amount of Trust you need to 
> transfer, the more the other party can rely on your information.

The implications of this statement is what intrigues me.  If you
automatically transfer a large amount of trust, you run the risk of
tainting the information.  This seems to be something very similar to the
principle of "least privilege" in computer security.  I believe that the
similarity is no coincidence, it may in fact be that the principle of
"least privilege" is a direct result of this statement.

Now, wouldn't this imply that when you need to transfer authority (the
issue we are primarily concerned with), you must keep the amount of trust
transferred to a minimum to avoid tainting other transfers?  And that
transfer of unspecified authority a la X.509 essentially nullifies any
trust that can be placed on the certification, because the trust is common
to all channels?  Whereas transfer of trust in regards to a clearly
restricted authentication as in SPKI can be done more reliably?

And above all, how would one reliably model the separate transfers of trust
and authentication that occur in most current certification schemes?  Can a
single syntactic channel, such as an SPKI certificate, be considered as
consisting of separate semantic channels, one (or more) for trust and one
for information (the authorization itself)?

I am looking forward to Carl's and Ed's views on how the necessary trust
for SPKI-based authorizations is transferred.

Camillo Sdrs <Camillo.Sars@DataFellows.com>   Data Fellows Ltd.
http://www.Europe.DataFellows.com/      Aim for the impossible and you
http://www.iki.fi/ged                   will achieve the improbable

Follow-Ups: References: