From owner-mcg-talk Tue Jul 8 02:28:08 1997 Received: (from majordom@localhost) by localhost (8.8.6/8.8.6) id CAA11106 for mcg-talk-outgoing; Tue, 8 Jul 1997 02:28:05 -0300 Message-Id: <199707080528.CAA11106@localhost> Date: Tue, 8 Jul 1997 02:28:03 -0300 (EST) From: "416720" To: 137298 Subject: Re: Trust properties, was Re: typing error Sender: owner-mcg-talk@localhost Status: RO X-Status: On Tue, 8 Jul 1997, 137298 wrote: -> Ed, -> Is this a typing error? -> No, I'll explain below. -> Further, as stressed by the "web-of-trust" of PGP [PGP97], trust is not -> transitive -- if you trust one person it does not mean you must trust -> everyone that person trusts -- which casts serious doubts on any -> relative reference system based on trust. Worse, the reader can easily -> see that trust is also not distributive -- you may trust one person -> before she trusts your competitor but not afterwards -- -> ^^^^^^^ -> before she becomes your competitor but not afterwards -- -> ^^^^^^^ -> -> Regards -> Thomas Bennett -> This is a very important question. I haven't seen this aspect of trust described before but because of space limitations I just briefly touched upon it in the cie.htm paper. Further results will be published in a forthcoming paper on accountability -- which will also describe the concepts of Domain- and Image-Spaces. Let me be more precise, however skipping some theoretical details (to be presented in a next paper). Definition 1: (distributive) An operation * is distributive in the space of {A,B,C} if and only if (A*B)*C = A*(B*C). Example: (3*5)*7 = 3*(5*7) (NOTE: "distributive" in the social sense and as a strong reminder of the context used here, as the best solution to notation woes explained in http://mcwg.org/cgi-bin/lwg-mcg/MCG-TALK/archives/mcg/date/article-399.html and due to the emphasis on the real-world properties of trust. BTW, trust is also non-associative in the social sense.) Proposition 1: Trust is not distributive Proof: Let trust be the operation *. We want to prove that Definition 1 is not obeyed and one counter example will suffice. Instead of proceeding formally here, I will just exemplify. Suppose Jon trusts a CA and has his extrinsic cert issued by that CA. After the cert was issued, the CA decides to trust Khadaffi and grants Khadaffi access and control to all of its issued certificate and CRL files, including Jon's of course -- which was already issued. This is represented by the result of (Jon*CA)*Khadaffi, which is Ok because Jon trusts the CA before the CA trusts Khadaffi, and thus gets his extrinsic cert from that CA. Suppose now that Jon learns beforehand that the CA trusts Khadaffi and all his data will be also know to Khadaffi if he decides to trust that CA and that Khadaffi could revoke his cert at will (eg, simulating an error). Then, if Jon does not trust Khadaffi, he will not have his extrinsic cert issued by that CA. This is represented by the result of Jon*(CA*Khadaffi), which is not Ok and Jon does not get his extrinsic cert from that CA. Of course, the result of the first operation is not equal to the second. The same could be exemplified for competing businesses or competing countries, as in the cie.htm paper. Or, you may trust your lawyer before you know he trusts your competitor but not after you know it, and so on. In summary, trust depends on the event sequence. Of course, you may never know that an untrustworthy C of (A*B)*C exists (ie, the confidence-leak problem) and you may forever trust Aldrich Ames! This is also part of the unsolvable problems of extrinsic certification, when trust is used as a reference even though it is always relative to unknown assumptions. This means that the only reliable trust is self-trust (which cannot have an unknown C, by hypothesis) and the verifier must be able to decide on the basis of his intrinsic and independent measurements. Further, trust on a third-party is not only always unreliable but it cannot even be reliably estimated (eg, Aldrich Ames). The forthcoming paper on accountability will also show that trust is neither symmetric, nor transitive, nor distributive -- which will eventually invalidate any PKI scheme which grows beyond a certain "critical radius". And, it also casts serious doubts on the validity of delegation and authorization chains if such aspects of trust are not taken into account. Yours, Ed Gerck ______________________________________________________________________ Dr.rer.nat. E. Gerck ed@gerck.com http://novaware.cps.softex.br P.O.Box 1201, CEP13001-970, Campinas-SP, Brazil - Fax: +55-19-2429533