RE: Transitive Trust: 40 million credit cards hack'd

["Marcus J. Ranum" <mjr () ranum com>]

Bill Royds wrote:
> The problem is that people have never truly analysed trust in a systematic
> mathematical way.

Actually, they have. There are a lot of folks who were thinking of
this stuff back when I was learning to walk. There are excellent
papers and research on the topic; Ken Thompson's Turing Award
Lecture ('on trusting trust') is a classic many of us are familar
with (http://www.acm.org/classics/sep95/) that describes some of
the transitive trust problems in software. The Orange book guys
and the early designers of multi-level secure systems also
made interesting discoveries on trust (namely "classification creep")
There were several research projects (Truffles and Ficus) that
dealt with trust issues in shared collaborative networked filesystems,
etc. Peter Neumann has written some really interesting papers
(large!) on composable trusted architectures - trusted building
blocks. And so on...

The problem is not that people have failed to think about trust; the
problem is that (once again) computer "scientists" have utterly
failed to examine the good thinking that has gone before them,
preferring instead to pursue the science of producing 3d dancing
pigs and fancy desktop widgets instead of actually thinking about
what they're doing.


> Trust is assumed to be a transitive property when it obviously is not.

Here I get to channel for Peter (since he doesn't follow this list)
Do you mean Trust or Trustworthiness?

Trust is transitive. Trustworthiness is altogether a different proposition.

> If Alice
> Trusts Bob and Bob trusts Charles it is not true that Alice should or would
> trust Charles. Trust is not even transitive.   We seem to see it as a simple
> relationship when it is not even well understood at all.

Yup.

> There has recently been
> some theoretical work on trust algebras (see
> http://security.polito.it/cms2003/Program/Roessler13/1Roessler.pdf or
> http://security.dstc.edu.au/staff/ajosang/papers/algcert.pdf for example) but
> little of it has filtered into actual practice.

Cool.. Reading now...  Looks like their perspective is that Trust
and Trustworthiness are a matter of degree. I think that's a terminology
issue, but I'm kinda sticking with "Trust" as a platonic ideal - the
absolute, uber-Trust 100% Good Stuff. Everything else is "acceptable
risk"

Y'know it occurs to me that one metric by which we might be able
to tell that "computer science" and computer security have matured
somewhat as a field is the eventual acceptance of a body of classical
knowledge that a practitioner must be familiar with, in order to avoid
being laughed at. Other than Denning and Cheswick/Bellovin/Rubin
and maybe Schneier I'm coming up dry. Hmmm...

> Yet we are building whole
> financial edifices on completely flawed understanding of how to use distributed
> trust.

What do you mean "We" kemosabe? ;)

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards