[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: Trust question (fwd)

I am forwarding this msg to SPKI, to avoid list cross-talk by Ccs. 
The subject is also relevant to the discussions here and may further
show that Matt Blaze is using trust as a misnomer in his papers,
specially evident when he talks about "delegating trust" and
calculates it using Boolean expressions -- whereas the word to be
used would be "authorization". Even though I can't be physically
present at the next SPKI meeting at the IETF, please consider this my
opinion -- if cyberlife has any meaning or is entitled to opinions ;-)

Thanks -- Ed

---------- Forwarded message ----------
Date: Fri, 20 Mar 1998 10:39:59 -0300 (EST)
From: Ed Gerck <egerck@laser.cps.softex.br>
To: pj ponder <ponder@mail.irm.state.fl.us>
Cc: E-CARM <e-carm@c3po.kc-inc.net>
Subject: Re: [E-CARM] Re: Trust question (addendum)

On Thu, 19 Mar 1998, pj ponder wrote:

>Trust is ultimately a subjective determination, and not a mathematical 
>relationship, like 'greater than' or 'prime'.  That being said, I'm not 
>sure if the statements 1, 2, and 3 below are comparable, let alone 
>equivalent, in any pairing.  

Yes, trust is subjective and such is also information -- even when
defined in Shannon's sense (eg, loosely, "information is what YOU do
not expect"). And yet, such subjective definition of information
leads to a very useful mathematical theory of information. 

That said, supose you have a Turing [1] machine for each statement. 
The three machines have fully independent initial states.

Take now one machine at a time. Represent each A, B and C as states
in that machine (which has also other states such as D, E, F..) and
take x and y as conditions that relate states A, B and C according to
each statement (also including arbitrary conditions z, u, v, w, etc
for connections between other states). Make sure that A, B and C have
no connection in their respective initial states, which are otherwise

After each machine runs, compare the final states for each A, B and C
in all three machines, two at a time. Then, change all initial
conditions in all possible variables, respecting the restraints and
run again. Do that enough times. From all such comparisons you have
the answers to the binary comparison requested. 

Then, you see that the problem IS determinate. The fact that one may
not have its solution now that does not mean that a solution does not
exit of course. Does not mean that one cannot calculate it in closed
form either.

>If Alice trusts Bob to the extent that she 
>will lend him five dollars with no security, and Bob trusts Charlie to 
>always repay his debts, we haven't got a syllogism.  Alice may not trust 
>Charlie at all, for any purpose.   Without knowing more about what x and 
>y represent, we really can't say anything about the relationships between 
>the statements.

Take what you wrote "Alice may not trust Charlie at all, for any
purpose." Is that relevant? how can that be represented?  When we
work out a a Karnaugh map for a logic circuit some variables are
fully independent and that is no problem -- we still arrive at a
final boolean expression. This is just algebra -- values come at the
end...if it is times 0 then the result is zero and we don't have to
worry our pretty little head on that before the result is calculated
for *each particular instance*. The equation represents all

>Another example:
>1. Alice trusts everything Bob says, feeling that Bob is always truthful
>and trustworthy.  
>2. Bob says, 'Charlie is trustworthy'. 
>3. May we assume from 1 and 2 that Alice 'trusts' Charlie, or can we only 
>say that to Alice, it appears as though Bob trusts Charlie?

As I commented above, if you feel a particular instance is useful
then make sure it is in the logic expression. It's current value is
meaningless for problem statement.

>One of the problems with over generalizing in these examples is that
>actual PKI and CA relationships are complicated by contract and other 
>liability issues.  Trust is not the same thing as 'legal-looking 
>paper asserts that if something goes wrong, someone else will be 
>liable,' nor is trust the same thing as: 'If the certificate revocation 
>list doesn't invalidate the cert I'm dealing with, and my own liability in 
>any case will be limited to fifty dollars, then I will complete my end of 
>the transaction and hope for the best.'  

This is surely important but we can think of it in layers, like the
TCP/IP protocol. Trust MUST come first -- how could you legaly rely
on something YOU don't trust? Law requires due diligence and a person
cannot legally rely upon an unknown risk. 

The propositions posed are well-defined and they just deal with trust
-- not with any authorization that may result from trust...hence,
legal reliance is NOT even a question because there is NO action.
Just the plain abstract and platonic act of trust .. there we stop
and enquire: what IS this platonic state?

Clearly, without answering this question we cannot say anything HOW
this platonic trust MAY turn into an authorization for non-platonic

>Trust is a subjective determination, more like an emotional state than a
>mathematical principle, and it may be arbitrarily or capriciously granted
>or withheld - reason, logic, and modular exponentiation notwithstanding.

Sure, agreed 100%, but that is NOT the question in the propositions
and I carefully avoided that in order to allow the problem to be
determinate. I took trust (whatever that  pesky word may be) as
GRANTED and asked: what then? When I stated:

"First B trusts C on matters of x..."' 

and when I explained:

 Thus, to be precise, when a statement says "B trusts C on matters of 
 x" this means that B knows exactly what C will do regarding matters
 of x. 

And that's why C is trusted on matters of x by B, because C can be
100% predicted when dealing with matters of x -- no surprises are
expected, as judged by B.

How such "certainty" or trust was established is not the question
here. It was granted. 

In other words, that such "certainty" is above logic there is no
doubt .. but that once present, the consequences of it are logically
followed. For example, after I decide to trust a pizza restaurant to
provide good pizzas that is trust matter "x". My decision to go there
or not depends on a series of factors (some of them entirely
subjective such as hunger and some objective such as money) but it
does NOT depend anymore on that trust matter "x" my brain computer
has already evaluated and classified. 

>Maybe the examples would better serve to analyze CA and PKI models of
>trust if we focused on channels of communication?
>1.  Alice, through a secure channel, receives a large integer from Bob.
>2.  .... (left to student to complete)
>as the old signature file says, 'In math we trust.'

:-) Can you trust the secure channel? Is Aldrich there? Clearly,
trust is a primary concept and everything else follows. That's why we
are targeting trust at its pristine state.. before any action is
authorized. For that, we do not need communication channels. We just
need to evaluate the consequences of the initial trust conditions.. 
we do not care how they got there or how trust was acquired at this
moment because this would NOT be within the domain of logic.

Even though, paradoxically enough, if we can logically calculate the
consequences of trust and if we can further mathematically estimate
the various actions that may be directly and indirectly authorized by
such trust and if we can statistically estimate the consequences of
such actions to a certain depth, taking into account the various
risks and uncertainties, then we may arrive at the conclusion that
such consequences will be unpleasant with probability 60% and that it
all derived from that initial platonic trust being released... then
we may decide NOT to trust ... and so trust acquisition becomes

This is a mild paradox and certainly not a contradiction.  IMO, it is
what could be called "trust refinement" -- where one ennacts the
consequences and dynamically refines the trust beliefs in cycles of
behavior where the path is helical and not circular..  hence no
paradox because one never goes back to the same point. 

However, back to the subject (sorry for the sidetrack). The objective
here is much more modest. It is simply to try to decide if there is
any binary equivalence between those three equations, which are to be
taken as fully independent and well-defined for trust -- taken as a
platonic attribute. The consequences of such trust will then follow
as a function of the authorized actions but that does not need to
concern us here as we are upstream. 




[1] Entscheidungsproblem was a question of decidability posed by the
German mathematician, David Hilbert, in an address to the
International Congress of Mathematicians in 1928. He asked if in
principle, there is any definite mechanical method or process by
which all mathematical questions would be decided? In 1936, Alan
Turing, a British mathematician, published a paper called "On
Computable Numbers with an Application to the Entscheidungsproblem."
Alan Turing's paper was a remarkable work, it introduced the concept
of the Turing Machine which has become the foundation of the modern
theory of computation and computability. Turing laid the theoretical
ground-work for all modern computer science. In his paper, Turing
showed that what we generally mean by computation could be satisfied
by a machine that consisted of a tape of unlimited length with little
square cells, and a device with a finite number of states that could
read symbols from the tape. Based on that symbol and current state,
it could write another symbol over the current symbol and change the
current state. Finally, it could move left or right on the tape.  (in
http://obiwan.uvi.edu/computing/turing/ture.htm) See also (long URL):


Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
    --- Meta-Certificate Group member, http://www.mcg.org.br ---