[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Modelling trust

{Cross-posting between cert-talk and spki, as received}

All and everyone ;-)

Due to a catastrophic change in the DNS servers that answer for
*.softex.br (a nationwide domain), now reverted, I was spared by Nature of
some e-mails -- including Bob's, and will present here my rejoinder based
only on what I can infer from Tony's and Chris' msgs below.

I infer that Bob may have thought that my msg "Re: Modelling trust" was
off-topic and I also infer that approximately 10 milliseconds after that
he regreted it (because he did not answer my yesterday's msg to him,
asking for a direct copy of it, after I received Tony/Chris postings). 

I think that whenever anyone cries "off-topic!" and a discussion follows
-- that does not involve the original poster -- then it means that it was
NOT off-topic. However, let's be quantitative and objective to evaluate if
such a sin was commited here, based on a simple key-word and context

1. My posting was centered on "trust", vis a vis various certification
recommendations and the social/legal understanding of it, citing "X.509"
several times and also quoting an extensive paragraph of "X.509". Further,
the posting commented on the difficulties encountered when using "trust"
in the "X.509" framework, citing the initial "X.509" emphasis on a
subjective view versus the later non-subjective introduction of
"certificate chains" and ad-hoc CA's "CPSs". I also showed that such
trust-based issues decrease the "compatibility of X.509 certificates" to
other named standards (such as PGP or the ABA Guidelines). I further wrote
that such trust issues would eventually invalidate any PKI scheme based on
X.509, because "signing and verification" are not correctly connected, and
practically exemplified it.

2. The cert-talk welcome msg says that the key-words "X.509" and "trust" 
belong to the list charter, as well as "Compatibility of certificates
across applications", "Certificate profiles and trust attributes ", "Chain
formation", "Signing and verification". 

A simple comparison shows that the key-words listed in (2) are 100% hits
in my msg, as quoted in (1)! Further, the practical examples provided in
my posting also do not allow it to be viewed as academic abstraction --
those are real-world issues and problems.

So, the posting on "Modelling trust" was fully on-topic in cert-talk and
fully targetting "practical technical issues surrounding the use of X.509
certificates in public-key cryptography applications" as cert-talk's
charter says. 

Regarding SPKI, which was also CC'd by Tony and Chris, the key-words
contained in (1) have been present in many messages. Further, trust
discussions belong to the heart of things like PolicyMaker or Carl's fight
between trust and authorization. Besides, I know of no other list but SPKI
where one can read and enjoy a nice well-contained discussion on Kurt
Godel's theorems, including the original German text -- without being
bothered by useless "off-topic" cries! A mature list, indeed, where
quietness is like smoldering fire... ;-) 

To conclude, very objectively, the posting was certainly not off-topic. 
Further, if one accepts the fact that the main problem in certification
today is NOT cryptography, but trust -- then the posting is part of a
future trend, in which cert-talk list members may need more and more to
discuss, define and decide: What is trust? How is trust created? How is
trust transferred? Yes, because such answers are NOT provided in X.509 --
even though they are needed for X.509 practical use. 

Bob missed the mark, maybe by 10 milliseconds.... 

(then, was *his* posting off-topic?)

May I end this posting reminding the audience about Mark Twain's cat...
so, let's take the lesson and forget the pain ;-)

Bob: the beer is on you...



On Thu, 5 Mar 1998, Tony Bartoletti wrote:

>I know that each of the lists PKIX, SPKI and "cert-talk" tend to have
>little patience with academic discussions on modeling.  If you find a
>list that is more appropriate, let me know and I will sign up as well.
>The PKIX list is focused upon working out the details of X.509v3.
>"cert-talk" (perhaps inappropriately named) is focused upon practical
>how-to questions over existing deployed implementations.
>SPKI (rather quiet of late) has already transitioned from theory to
>implementation, but they may be the most receptive.  I say this because
>the lightweight (some would say "inadequate") nature of their form for
>supporting global PKI still leaves as an open question how this form
>might be deployed and "ganged together" to support larger and varied
>needs.  (I hope Carl Ellison and Perry Metzger don't beat me up;)
>Maybe Ed Gerck has some suggestions;)
>At 11:43 AM 3/5/98 -0600, you wrote:
>>In response to the appropriateness of discussing trust models in this
>list, I 
>>would assume that many of the participants on this list would be
>interested in 
>>the underlying application and usefulness of the trust model that public key 
>>technology enables.  For us to blindly discuss the detailed technical
>>of any given technology without keeping our feet grounded in the
>>drivers sustaining the development of that technology would be
>irresponsible, to
>>say the least.
>>Given that, I would be very happy to participate in another list if my 
>>colleauges in this forum are not as receptive to these types of
>discussions as I
>>-- see attachments --
>>---------------------------- Forwarded with Changes
>>From: BJUENEMAN@novell.com at Internet-USA
>>Date: 3/4/98 2:09PM -0800
>>*To: egerck@laser.cps.softex.br at Internet-USA
>>*To: cert-talk@structuredarts.com at Internet-USA
>>Subject: Re: Modelling trust
>Tony Bartoletti                                             LL
>SPI-NET GURU                                             LL LL
>Computer Security Technology Center                   LL LL LL
>Lawrence Livermore National Lab                       LL LL LL
>PO Box 808, L - 303                                   LL LL LLLLLLLL
>Livermore, CA 94551-9900                              LL LLLLLLLL
>email: azb@llnl.gov   phone: 510-422-3881             LLLLLLLL

Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
    --- Meta-Certificate Group member, http://www.mcg.org.br ---