[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: on the nature of trust

To: Ben Laurie <ben@algroup.co.uk>
Subject: Re: on the nature of trust
From: Marc Branchaud <marcnarc@xcert.com>
Date: Mon, 16 Feb 1998 14:16:04 -0800
Cc: spki@c2.net
Organization: Xcert Software Inc.
References: <000801bd3886$52b9e6d0$06060606@russell> <34E48E88.3B66A158@xcert.com> <34E496FD.E534E9BC@algroup.co.uk> <34E4A164.E6DDE43E@xcert.com> <34E4A662.4377FA83@algroup.co.uk>
Sender: owner-spki@c2.net

Ben Laurie wrote:
> 
> Marc Branchaud wrote:
> >
> > Ben Laurie wrote:
> > >
> > > Marc Branchaud wrote:
> > > > Without some externally transmitted trust, what we have is a kind of Turing
> > > > test for trust -- is it really Ed, or just an incredible simulation?  This
> > > > might be an easy question to answer in a trivial context, but I think that an
> > > > external trust channel would be needed in a situation of any significance.
> > >
> > > But isn't this the essence of trust? No-one can devise a protocol that
> > > will make me trust things, can they? This "external trust channel" can
> > > only exist if I trust it. And will that trust come from an "external
> > > external trust channel trust channel"? I think not.
> > >

[ ... ]

> > The same paradigm applies to online messaging: you trust a message because
> > you've received enough other information in some external way.
> 
> Or the value of the information is sufficiently low that the "balance of
> trust" (as it were) swings in the right direction. But what is the
> _point_ of all this? If we look at the CA-centric model of trust, then
> it is the CA that must convince me, with sufficient out-of-band
> information, that I should trust it. One obvious way of doing this is,
> for example, being of sufficient reputation that proving to be
> untrustworthy would be a Bad Thing. Like a bank, for example :-)
> 

I agree with all of that.  The point I was trying to make is that some kind of
external-to-the-transaction trust channel is required.  I think what our
discussion has revealed is that several quanta of trust from many different
sources & channels are probably needed.

I believe SPKI is a pretty good way of conveying that kind of trust with as
little out-of-band communication as possible.  With everyone issuing SPKI
certs for all sorts of stuff, people can gather enough evidence to satisfy
themselves that something is trustworthy.

		Marc

+------------------------------------------------------------------------+
 Marc Branchaud                                       \/
 Chief PKI Architect                                  /\CERT SOFTWARE INC.
 marcnarc@xcert.com        PKI References page:              www.xcert.com
 604-640-6210x227      www.xcert.com/~marcnarc/PKI/
+------------------------------------------------------------------------+

Follow-Ups:

Re: on the nature of trust

From: Ed Gerck <egerck@laser.cps.softex.br>

References:

Re: on the nature of trust

From: "Phillip M. Hallam-Baker" <pbaker@verisign.com>

Re: on the nature of trust

From: Marc Branchaud <marcnarc@xcert.com>

Re: on the nature of trust

From: Ben Laurie <ben@algroup.co.uk>

Re: on the nature of trust

From: Marc Branchaud <marcnarc@xcert.com>

Re: on the nature of trust

From: Ben Laurie <ben@algroup.co.uk>

Prev by Date: Re: re. name cert meaning
Next by Date: Re: on the nature of trust
Prev by thread: Re: on the nature of trust
Next by thread: Re: on the nature of trust
Index(es):
- Main
- Thread