[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: on the nature of trust

On Mon, 16 Feb 1998, Marc Branchaud wrote:

-> Ben Laurie wrote:
-> > 
-> > Marc Branchaud wrote:
-> > >
-> > > Ben Laurie wrote:
-> > > >
-> > > > Marc Branchaud wrote:
-> > > > > Without some externally transmitted trust, what we have is a kind of Turing
-> > > > > test for trust -- is it really Ed, or just an incredible simulation?  This
-> > > > > might be an easy question to answer in a trivial context, but I think that an
-> > > > > external trust channel would be needed in a situation of any significance.
-> > > >
-> > > > But isn't this the essence of trust? No-one can devise a protocol that
-> > > > will make me trust things, can they? This "external trust channel" can
-> > > > only exist if I trust it. And will that trust come from an "external
-> > > > external trust channel trust channel"? I think not.
-> > > >
-> [ ... ]
-> > > The same paradigm applies to online messaging: you trust a message because
-> > > you've received enough other information in some external way.
-> > 
-> > Or the value of the information is sufficiently low that the "balance of
-> > trust" (as it were) swings in the right direction. But what is the
-> > _point_ of all this? If we look at the CA-centric model of trust, then
-> > it is the CA that must convince me, with sufficient out-of-band
-> > information, that I should trust it. One obvious way of doing this is,
-> > for example, being of sufficient reputation that proving to be
-> > untrustworthy would be a Bad Thing. Like a bank, for example :-)
-> > 
-> I agree with all of that.  The point I was trying to make is that some kind of
-> external-to-the-transaction trust channel is required.  I think what our
-> discussion has revealed is that several quanta of trust from many different
-> sources & channels are probably needed.

Ben, Marc and all:

This is exactly one of the reasons why the definiton of Trust was worded
as it is. Now, if you add in multiple channels, then it gets very
interesting. I will exemplify beloe.

I quote from the e-mail discussions at the MCG (now part of

"The development of trust over a period of time has the great advantage
that it can derive from a number of independent sources of confidence that
a person is who and what he claims. If I have three independent sources
who verify that someone is who and what he claims to be, this greatly
increases my confidence in the conclusion. Even if there is a 20% risk of
error in the case of each source, the risk that all three are in error is
(20% x 20% x 20%) = 0.8%, a much lower risk. In the case of certifying
authorities the same consideration applies: if I am given three
certificates from independent authorities, the risks of error are much
reduced. This is a strong argument for fostering numerous independent
certifying authorities. A problem which cannot be avoided by a
multiplicity of certifying authorities arises if there is a hierarchy of
authorities and cross-certifications. If a single authentication key
authenticates numerous certifying authorities and is compromised, so that
the genuineness of their certificates themselves becomes unreliable, all
the benefits of the independence are lost. "

Thus, multiple channels add redundancy, which reduces risk. This is
further explained within Sahnnon's theory in http://www.mcg.org.br/cie.htm
-- look for Mogul, as this is rather ancient ;-)

This can also combat active attacks, as further commented in the

"Mitm attacks are hard to handle, as well as spoofing, but it is very hard
to coordinate these attacks on more than two channels at the same time.
The reasoning is like the calculation of error-correcting codes: you add
redundancy and you improve reliability. For example, if one channel is Web
directly off a cable-modem and the other is a fax, the two use entirely
different communication channels that must agree on end results. If now
you add an IR link to a next building, and so on, any attack will show up
as a marked difference in at least one channel -- which will be easily
seen and countermeasures can follow. To calculate, suppose the probability
of a succesful spoofing is the same in each of three channels
(cable-modem, fax, IR link) and is equal to 1%. Then, if we do a majority
vote and take information that is equal in two channels to represent
"true" information, the probability that two channels will be spoofed is
0.01%. If we take more channels and do a statistical analysis, we can
considerably improve our odds. " 

The abover examples provide some quantitative results which can add to
weigh the issues here. So, the argument against *one* CA as Ben asks, is
deceptively simple: don't put all your eggs in one basket -- spread the
risk so you can survive a small mistake. This frontally speaks against
TTPs and  regulated (few) CAs.



Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
    --- Meta-Certificate Group member, http://www.mcg.org.br ---