[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: on the nature of trust

To: "Phillip M. Hallam-Baker" <hallam@ai.mit.edu>
Subject: Re: on the nature of trust
From: Ed Gerck <egerck@laser.cps.softex.br>
Date: Sun, 22 Feb 1998 06:11:24 -0200 (EDT)
Cc: Tony Bartoletti <azb@llnl.gov>, SPKI <spki@c2.net>
Reply-To: Ed Gerck <egerck@laser.cps.softex.br>
Sender: owner-spki@c2.net

 [I would like to ask the list's indulgence for such a late reply but list
  traffic was high and I decided to wait for a truce ;-)]

On Fri, 13 Feb 1998, Phillip M. Hallam-Baker wrote:

-> >On Thu, 12 Feb 1998, Tony Bartoletti wrote:
-> >-> Ed,
-> >-> I do believe that your definition of Trust (in the sense analogous to
-> >-> Information Theory) is the most elegant and useful one, to repeat:
-> >->
-> >-> > Trust: "Trust is that which is essential to a communication channel
-> >-> > but which cannot be transferred from a source to a destination
-> >-> > using that channel"
-> 
-> 
-> This definition would apply equally well to my modem.
-> 

Ye spake a truth!


Let's see 3 cases of it, each one chosen (IMHO) so as to try to illustrate
an important aspect of such truth:

CASE A: 

Consider a communication channel that needs as an essential part of it a
property X [1] which CANNOT be transferred through it and which includes
your modem. Then the definition applies equally well to your modem and
your modem has Trust -- ie, you are using your "Trusted modem with
property X"  [2]. What "Trusted modem with property X" means? It means
that for information transfer, the other party and/or you need out-of-band
information on property X of your modem for some essential property, as
evaluated according to him and/or you. 

Note: it's important to see that Trust is always relative to the observer
(see trusdef.txt). So, if you use a Trusted modem it may be Trusted to you
and/or to the receiving party, with possibly different connotations. In
other words: who is to decide "what is essential to a communication
channel but which cannot be transferred from a source to a destination
using that channel"? -- the observer, which can be the source and/or the
recipient. 

[1] X: your modem and its properties, which can be anything that CANNOT be
transfered using THAT channel and that is essential to it as judged by any
or all of the parties (source and/or recipient), such as: the guarantee
that your modem itself was used (not Peter William's for example), the
guaranteed noise limit levels of your modem, etc. 

[2] i.e, your modem that has property X, in THAT channel, according to the
source and/or the recipient. 


CASE B:
;-)

Now, if your communication channel (pls be a bit flexible here as to what
you consider communication -- after all, neither Shannon nor myself have
limited communication to use only electrons as carriers, or photons, etc.)
uses doves as carriers, then probably the modem will not be essential to
THAT communication channel. However, suppose that the other party decides
that the doves need your modem's nice heat in order to always be warm and
ready to fly on demand to him, without delay, and that he cannot rely on
anything else for that function but that modem for THAT channel. In that
case, *he* can also call *your* modem his "Trusted modem with property X"
[2], where now X is defined by [3].

[3] X: your modem that can reliably -- as judged by the recipient -- keep
the doves warm and ready to fly on demand, without delay, at the source,
for THAT channel. 

Note: the example above was important also in that it highlighted the
observer's role on Trust: the recipient needed Trust on your modem -- not
you!


CASE C:
;-)

Now consider the case that you need to communicate with a recipient in the
next building which happens to have a window that is 2 meters (7 feet?)
distant from your window. Suppose next that your only means of
communication is to write your message on your modem and toss it over to
the other side. Now, even though your modem is an essential part of THAT
communication channel (unfortunately, you may say -- but this is just a
Gedankenexperiment) it CAN (indeed, it MUST) nonetheless be transferred
from source to destination using THAT channel. So, your modem needs zero
Trust regarding THAT channel -- ie, no Trust is needed for your modem.

NOTE 1: This case is important not only for the fun of it (after all, the
modem is not mine ...) but because it includes an example where no Trust
is needed.  What does "your modem needs zero Trust regarding THAT channel"
mean? Here, it means that when the modem arrives at the destination then
the recipient can rely 100% upon its arrival and does not need any other
channel to tell him that the modem has arrived. 

NOTE 2: "Needs zero Trust" or "needs no Trust" is not the same as "has no
Trust". To say that "channel A has no Trust for property X" is the same as
to say that "channel A does not transfer Trust for property X" -- so, if
you need Trust on property X you can't use channel A alone.  However, when
channel A "needs zero Trust for property X" it means that no other channel
is needed in order to transfer property X, but channel A.  Clear? 

NOTE 3: There are two important facts here: (i) your modem is an objective
reality and its subjective values are not important and, (ii) your modem
HAD to be transferred. These facts eliminated all need for Trust on your
modem, which perhaps further illustrates the definition of Trust.

-> Also consider the following thought experiment. I establish an email
-> correspondence with a person who I have never met before. Over the
-> course of ten years my only means of communication with this person
-> is through email. Is is possible to establish a property that corresponds
-> to our term trust as a result?
-> 
-> 

Interesting experiment. I will answer in three scenarios, the first two
with Trust evaluated by you (the source) and the third by the person (the
recipient).  The examples were also chosen with a purpose, to better
(IMHO) illustrate how the Trust definition can be applied. 

Scenario A:

Trust being "that which is essential to a communication channel  but
which cannot be transferred from a source to a destination using that
channel",  then you must view the channel as a TOOL and first evaluate
three things:

- what is your communication channel?

- what do *you* consider "essential" for that channel? This could be
  mathematically defined by *you* as an expression of the relative
  certainty desired for *your* specific security problem and application
  context, given all available knowledge *you* have of the operational
  vulnerabilities. 

- what is essential and yet CANNOT be transferred using THAT channel?

So, suppose *you* (respectively):

- verify that the e-mail channel goes over a fiber optic direct cable
 two point link between your computer and the computer of the other person
 you never met before and that the person you never met before presents 
 you a Verisign certificate class 1 which you always verify as valid
 in a 100% effective CRL list and  successfully challenge every time you
 send e-mail, always using S/MIME encryption with RSA/TripleDES.

- you consider essential that the channel transfers private information, 
  that is, information which cannot be eavesdroped within TripleDES
  limits. Who the other party actually is, or if it is only one party,
  or if it is a machine or person, is of no concern no you. Anyone that
  has the private-key associated with the certificate is the same for you.

Then, in this case, there is nothing you consider essential that is NOT
being transferred.

To answer your question: for you, this channel needs zero Trust for
privacy. This is a good thing -- no surprises, as commented in
trustdef.txt and above for CASE C. (note, again, that "needs zero trust" 
is not the same as "has no trust" or "has zero Trust")

IMPORTANT: In this case *you* objectively know that the information you
send in that channel is private within TripleDES limits, even in the case
of a TEMPEST attack, so such Trust does not need to be transferred to you
out-of-band. In general, "If property X is essential to a channel, a party
needs no Trust for property X in that channel if and only if the party has
hard-Trust on X".

NOTE 2: Hard-trust is defined in trustdef.txt


Scenario B:

In the above example, if *you* would consider that Trust for that
channel would be your recipient's DNA pattern, then you would not have
Trust on that channel even after ten years. 

Scenario C:

When you are exchanging e-mails you are using *one* communication channel. 
But you actually have *more* than one communication channel -- you also
have memory channels, a memory being that special case of a channel in
which the sender transmits signals to itself at a later point in time
(such as a 10-year mailbox). Memory channels can be used to provide for
"learning" capabilities, which is what I will use them here for. 

Let's take then the same case as above, but from the viewpoint of the
other person. Suppose that the recipient considers "essential" that the
party at the source writes and reads English with proficiency. Of course,
this information CANNOT be transfered using that channel, because that
channel transfers information and information in IT has nothing to do with
knowledge or meaning -- it needs Trust. 

During those ten years the person will use many channels (ie, memory
channels of different messages) and test the source's English proficiency
for r/w (eg, by using double negatives, different verbal tenses, wide
vocabulary, etc.). He will then develop Trust that the source has English
proficiency for reading and writing. The source could be a machine, you,
another person, a group of persons or a visitor from Mars -- this is
irrelevant to his desired Trust.

Note: this example is also interesting in that it shows that Trust did not
exist in the begining and was built up using multiple channels -- or not ;-) 


If the list desires, I could later on also comment on this e-mail example
but using an unsecure and non-private e-mail channel for other scenarios.
I decided not to include it here because this msg is already huge. 

Thanks for your patience with such a long message, but I thought that more
than one example in each case could better contrast and explain the
thoughts. I also tried to offer examples that were not mentioned before in
the earlier replies to this posting -- especially for the modem ;-) 

Cheers,

Ed
______________________________________________________________________
Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
http://novaware.cps.softex.br
    --- Meta-Certificate Group member, http://www.mcg.org.br ---
Prev by Date: more SDSI software available
Next by Date: Internet Draft cutoff date
Prev by thread: Re: on the nature of trust
Next by thread: Re: The role of trust in certification, was Augustine (fwd)
Index(es):
- Main
- Thread