[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MCG] Re: on the nature of trust

On Fri, 13 Feb 1998, 416720 forwarded the msg below:

-> Date: Thu, 12 Feb 1998 23:53:29 -0500
-> From: "Phillip M. Hallam-Baker" <pbaker@verisign.com>
-> To: Ed Gerck <egerck@laser.cps.softex.br>, Carl Ellison <cme@cybercash.com>
-> Cc: SPKI <spki@c2.net>, MCG <mcg-talk@novaware.cps.softex.br>
-> Subject: Re: on the nature of trust
->>On Thu, 12 Feb 1998, Carl Ellison wrote:
->>->>From: Ed Gerck <egerck@laser.cps.softex.br>
->>->>To: MCG <mcg-talk@novaware.cps.softex.br>
->>->>Subject: Towards a real-world model of trust
->>->>Today's protocols such as X.509, PGP and others, take a leap of ignorance
->>->>on what trust is and start by defining means to convey it. Such attitude
->>->>is not even empirical, it is indeed arbitrary. To justify this leap of
->>->>ignorance, standards such as X.509 have statements to the effect that
-> "...
->>->>such will be defined in the CPS, which is not a part of this document." --
->>->>as if assumptions could be defined after the theorems that use them.
->>-> Ed,
->>-> that was a beautifully written paragraph!
-> I don't think its quite fair to describe the developers of X.509 to be
-> taking
-> leaps of ignorance. Unless of course one is claiming that we are all poor
-> ignorants in the face of the great unknown.


Because ignorance is rather common, it it not infrequent to see the word
"ignorance" taken in a demeaning way -- and you are right in pointing out
that someone could interpret it that way -- so we all have once in a while
to go back and explain that, actually, ignorance means that which is
ignored, unknown, incognitus. And, unavoidable for all sentient beings
like us. 

So, IMO it's indeed fair and polite to say that X.509 takes a leap of
ignorance on what trust is, which simply means what it says: that X.509
ignores the issues of trust and jumps over it as if leaping a chasm. 

I would further add that I did *not* mean that X.509 takes a leap of faith
on what trust is, because not even faith on an ad-hoc trust concept is
offered in X.509! Only a leap in the chasm, but as we are often reminded:

  "The most dangerous strategy is to cross a chasm in two jumps." 

which is what happened in X.509 by postulating the first jump from the
user (ie, the verifier, the relying party) to the CA and the second jump
from the CA to the CPS. In other words, not only the user has to take a
jump of ignorance to the CA, he also has to take a jump of ignorance from
the CA to the CPS of that CA -- because the CPSs are not harmonized for
all CAs and because one thing is what is written in the CPS and quite
another is what is actually followed 100% of the time by that CA.

In the sentence after that, I also advanced the opinion that such attitude
could not be defended as empirical (as when Faraday did his experiments
while ignoring the basic laws of electromagnetism) but was indeed
arbitrary. Here, arbitrary meaning that it was done as a design choice
that followed individual preferences rather than a technical need.

Copying from the paper "Overview of Certification Systems: X.509, CA, PGP
and SKIP" at http://www.cg.org.br/cert.htm:

 While some consider the CPS mechanism to be a good way to introduce
 flexibility in X.509 because each CA can have their own rules for
 different needs, such mechanism can be considered as X.509's "black-hole"
 and cannot be harmonized for different CAs. Thus, while this "black-hole"
 mechanism affords a "solution" to the undefined semantic and trust
 features in X.509 (as they are declared out of scope and delegated to the
 CPS), such "laissez faire" attitude leaves ample room for strong
 differences between CAs and for a biased "take-it-or-leave it" attitude
 regarding what a CA subscriber can expect. Further, it does not scale to  a
 planetary Internet because even though it could work in a parochial
 Internet where everyone knows what to expect and share a common law and
 trust system, it is doubtful that it could be always successfully applied
 between competing businesses or different states in a country -- much
 less between different countries. 

-> If on the other hand the author was accusing others of an ignorance of
-> which he himself was not affected by then the statement sounds more
-> like flame bait.

Surely, there was no accusation. Merely a factual statement that an
arbitrary design attitude was followed in X.509, which contradicted logic
and scientific method. Thus, not to be affected by the same just means
that a scientist should do otherwise. 

But, actually, I did more than criticize X.509's basic inconsistency (as
any scientist could do, surely it is not the Koran). I offered a solution
and defined what was ignored. If such definition is correct or useful, or
if I should be flamed for the presumption of correctly defining what has
elluded others and hasn't even been tentatively defined in technical IT
terminology yet, time will decide. However, that a definition must be
offered is beyond flames, I believe and I think you agree.

Further, Newton's words are still clear to me as he explained that he
could see farther because he was on the shoulders of giants (his
predecessors). So, if it so results that I (and collaborators) indeed
succeed to conceptualize trust and provide a working certification theory,
plus a good software for that and it spreads over the Net enpowering
programmers and users with a secure platform, then I would not consider
myself infallible (as you seem to suggest) but as building upon work of
others -- such as upon your own or, X.509 authors!

Man inherits from man and progress is made of cycles upon cycles. This
work is non-partisan and "no political or country-oriented criticism is to
be construed from it, which respects all the apparently divergent efforts
found today on the subjects treated. Individuals or organizations are
cited as part of the fact-finding work needed for this work and their
citation constitutes neither a favorable nor an unfavorable recomendation
or endorsement." (cf. http://www.mcg.org.br/discl.htm) 

-> The whole point of layered abstraction is to ignore the inessential
-> details. The great advance in PKI came when the X.509 group
-> STOPPED attempting to dictate trust policies and left people to
-> develop them for themselves. PGP was a key part of this process
-> providng a timely and well chosen rebuttal of the monolithic ideas
-> embodied in PEM.

What you call a great advance I call a great mistake. (Possibly, I would
do the same mistake if positions were reversed, so that does not speak
much of my clarvoyance.)

The millions of dollars that have already been put into such a research
could have been STOPPED by first applying the book -- scientific method. A
PKI as has been proposed -- and defended -- is just a procrastinated
disaster which will possibly cost even more in lack of business use than
the money buried into such "research". To imagine that a PKI can be built
in order to manage trust while, at the same time, going against the basic
properties of trust is awesome. In this case, not even ignorance can be
claimed -- because no one ignores that PGP already said "trust is not
transitive"  for a long time. Well, trust is neither transitive nor
distributive nor symmetric (see http://www.mcg.org.br/trustprop.txt) and
the properties of soft-trust must be considered. 

PGP is in another turf altogether and everyone knows that PGP cannot scale
in space and size so as to cover the planetary Internet -- even PGP. 
However, PGP began with a very simple goal in mind: to provide for secure
communication within a group of friends.  And has delivered that goal
100% -- on a very small initial budget.

-> I'm trying to follow the definition of knowledge employed here.
-> [snip]

My main objective is to define trust, its properties, its interplay with
information, etc. 

And then, apply such knowledge to certification and information transfer.

Maybe that helps to explain why I had to mention knowledge.

-> According to this definition knowledge certainly can be exchanged,
-> indeed I am not aware of any statement by Shannon to the effect
-> that it cannot.

You are taking a mistaken reading, I believe. Knowledge has zero
information and knowledge cannot be transfered -- all in IT terms, of

-> The statement that there is absolute knowledge is followed by a series
-> of curious examples. If one is serious about claiming that there is
-> absolute knowledge in the philosophical sense then surely the
-> question of number is a valid one? If so then assertions of absolute
-> knowledge of those numbers appears premature.

Absolute knowledge is a matter of discussion in phylosophy and religion,
which can lead to very interesting arguments.  Here, in Information Theory
terms, the definition of absolute knowledge has nothing to do with alfa
and omega, the Infinite Being or even, if there is such a thing as
absolute! That's why I was careful enough to mention it. It just and
simply means that which you, me and anyone else can know without any need
for requiring friendship, alliance, truthfulness, or even human likeness.

Regarding definitions and meanings, I would like to exemplify that in
German the words "fast", "Gift" "Rat" and "bald" have nothing to do with
English homographs, so if I may write all sorts of funny looking sentences
in German if I use these words in their English meaning within a German
phrase (as tourists often do, especially with fast gifts). 

Thank you for your comments, but I think it might be more instructive if
you read the definitions NOT thinking of what you may define them by (or,
what someone else says) but as if you are acquiring a new vocabulary.
Otherwise, it will not look like a good Rat ;-)

Cheers, and have fun,

Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
    --- Meta-Certificate Group member, http://www.mcg.org.br ---