[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: on the nature of trust

On Fri, 13 Feb 1998, Ben Laurie wrote:

-> Marc Branchaud wrote:
-> > Without some externally transmitted trust, what we have is a kind of Turing
-> > test for trust -- is it really Ed, or just an incredible simulation?  This
-> > might be an easy question to answer in a trivial context, but I think that an
-> > external trust channel would be needed in a situation of any significance.
-> But isn't this the essence of trust? No-one can devise a protocol that
-> will make me trust things, can they? This "external trust channel" can
-> only exist if I trust it. And will that trust come from an "external
-> external trust channel trust channel"? I think not.

Marc, Ben and all:

I liked Marc's comment that some evidence could be obtained by considering
the *memory* channels involved here -- so he is recognizing that we don't
have only one channel here but as many channels as there are messages, at
least;  but there are also many implicit channels formed by the different
cross-correlations of various orders; other estimators can also be used
such as the time of day, pattern matching filters, etc. These many
channels can allow for quasi-independent measurements (or not) as a
function of the threat model.

[Memory channel being that special case of a channel in which the sender
transmits signals to itself at a later point in time (such as a 10-year
mailbox).  Memory channels can be used to provide for "learning" 
capabilities, which is what Marc used them for.]

I further liked Ben's message because it stresses a central point: Who
decides how many Trust channels are needed? The user, who is at risk. Now,
will that come from an external{ external {.... trust channel}...}
iterated n times? This is easier to answer qualitatively than it seems and
we do it everyday (though, admitedly, it may be harder to do it

Clearly, the quantitative answer depends on the presented definition of
Trust. Trust being "that which is essential to a communication channel but
which cannot be transferred from a source to a destination using that
channel", then I must view the channel as a TOOL and first evaluate three

- what is the communication channel?

- what do I consider "essential"? This could be mathematically defined
  by *myself* as an expression of the relative certainty desired for
 *my* specific security problem and application context, given all
  available knowledge *I* have of the operational vulnerabilities.                

- what is essential to the communication channel and yet CANNOT be
 transferred using THAT channel?  

The ANSWERS to these questions are not overly-variable quantities and
surely MUST be answered before I use the channel, so here also, Trust must
be earned so to say and not simply assigned. I believe that Ben can see
here much more of a *quantitative* behavior than one might expect when
trust decisions are made by an overly-variable third-party such as a CA.


Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
    --- Meta-Certificate Group member, http://www.mcg.org.br ---