[219] in WWW Security List Archive
Re: Syncytial trust?
daemon@ATHENA.MIT.EDU (hallam@cayenne.lcs.mit.edu)
Sat Nov 12 07:10:59 1994
From: hallam@cayenne.lcs.mit.edu
To: www-security <www-security@ns1.rutgers.edu>
Date: Sat, 12 Nov 94 03:31:06 -0500
Reply-To: hallam@cayenne.lcs.mit.edu
>Has anyone heard of the term syncytial trust? If A trusts B and B trusts C
>then C has the syncytial trust of A? A useful word in the Web of Trust
>Concept.
Well rgardless of what you chose to call it I'm not sure it applies. In
fact I can think of many cases where describing the relationship as `trust'
of any sort would be misleading.
The idea of cascaded authentication is rather different. Here if A trusts B
_to identify trustworthy persons_ and B trusts C such that she is prepared
to make a recommendation to A then A trusts C.
The important concept is that we have a relationship between the parties that
can have attributes. If you don't have that `you are toast'.
In fact the concept of trusted to recomend trust is more complex. I may trust
the Whitehouse to authenticate a Federal agency (eg the NSA) but not trust
them to authenticate the Cuban government.
I could have easily have written up Shen as `A graph based trust model leading
to personalised trust heterachies'. I don't think that that would improve the
clarity of the concept though.
Since the base model is of relations carrying attributes there is only one
representation of the real world trust model that is in use every day in
ordinary life. The lesson of PEM is that attempting to constrain this model
artificially prevents acceptance and leads to a rejection of authoritarian
control.
This leads to some very nice isomporphisms. PEM[1] is a hierarchical trust
model, the classical authoritarian form. PGP mounted a successfull overthrow
of this model with an entirely unconstrained anarchical model. As with political
anarchy this leads to problems. Although the citizens are much safer (freer) in
theory they are in fact prisoners of their own lack of order. `For insomuch as
we have observed human conduct we have see that every man is more jealous of his
own rights and privilleges than of those of his fellow man[2]'. In exactly the
same way people tend to be more carefull about vetting the contact they are most
likely to need to trust than others. This makes PGP an attractive model
intellectually but administratively it is weak. It is not hard to get bogus keys
into circulation as valid ones and in the absence of a reference authority there
is no guaratee of validity. And a reference authority is of courseprecisely the
sort of thing that PGP attempts to avoid.
We have two options either we can attempt to define wonderfull academic forms of
trust model de novo. Or we can observe the real world and attempt to model the
trust mechanisms that allow it to function. Since we do not see a hierarchical
trust model it is not the solution. We do not see anarchy either, or at least in
places where it has taken hold it is disaster.
What we see is binary interpersonal relationships heavily qualified in many
ways. The approach that has always seemed most promising to me is to replicate
those relationships allowing them full colour with respect to the areas for
which trust is granted (finacial, notarial, reliability etc), the extent of such
trust and the confidence with which that trust is allowed. To digress it is a
very different thing to be 1% confident of placing $1million of trust in an
individual and being 100% confident of granting them $10,000 of trust. In other
words we are faced with a classical AI probllem, you to reduce a graph of binary
relations to a tractable form in a reasonable time.
Phill Hallam-Baker
[1] Yeah OK they are going to change it sometime...
[2] Probably an entirely bogus quote but the sort of thing they used to say
round about the time of the American colonial rebellion.
