The series will also necessarily touch upon the central issue of trust, which will be shown to be "that which provides meaning to information" and which constitutes a new type of measurement, in my treatment of it: how to rely upon actions at a distance. Thus, trust is as essential as information and can afford an answer to the problem of measuring events that are important, significant but which are unreachable -- as strongly exemplified in the Internet.
Before I open the series, it is perhaps worth
noting that Intrinsic Certification, Meta-Certificates and Trust Theory
as they are conceived in this series (and in former papers and mcg-talk
messages of the author and colleagues) are sober and modest disciplines
which have no pretension of being a universal patent-medicine for all the
ills and diseases of mankind, whether imaginary or real. You will not find
here any remedy for hair loss or illusions of grandeur, class conflicts,
capitalism or neo-liberalism. Nor are these papers and concepts a device
for establishing that everyone except the author and his friends are speaking
nonsense. To which disclaimer the author gratefully acknowledges a contribution
from Tarski.
Clearly, if even experts are oftentimes baffled by the ever new attacks, discovered misconceptions, hidden fallacies and legal subtleties around methods that purport to provide for secure worldwide network traffic, then the average user is not in a position to make a better choice than the security specialists -- and, in fact, may easily confuse issues.
What is a reference? Why cannot a reference provide meaning by itself? What is meaning? What is trust? Do I need trust? What is a certificate? What is warranted in a certificate? What is warranted about the certificate data? Warranted by whom under what liability? For which countries? Why are provably unsecure methods still in use? Do I really have to sacrifice my privacy in order to achieve security, or is there an alternative?
To help resolve these issues and to provide for technical answers, the MCG was born.
However, the MCG does not hope to educate the world or to develop each person into a security expert. Such view would require a degree of evangelism which is clearly only useful in a small parish. Instead, the MCG fosters public discussions that work as public feedback from a small percentage of the world population -- currently reaching into 26 countries -- and taking a small but perhaps statistically significant sample of it. The objective is to develop a security lingua-franca that will help solve today's certification, security and privacy problems.
This work will be contained in a series of MCG Standards. What are the first ones?
The first MCG Standards present non-parochial and provable solutions to the questions above. The first one, called MCS, is currently under development and includes a method called Intrinsic Certification -- which is implemented by code within a general certification solution called Meta-Certificate. MCs also interoperate with any known certification method such as X.509 or PGP, so that users are not cornered into YAPKIs (Yet Another PKI) or YASs (Yet Another Standard) and can interoperate with what they already have.
The Intrinsic Certification protocols and source-code will be presented for public scrutiny, as a function of the ongoing work within the MCG. It is a public commitment that such protocols and algorithms will not be patented but the source code, documentation and protocol description will be licensed under copyright agreements, by the MCG.
The main work is contained in a private paper written by myself last year and which is being unfolded by myself and by a collegiate of helpers and co-authors -- with a permanent invitation for enlarged participation. This development is being done within public discussions as much as possible -- as each development step is documented and finalized. The breadth and scope of the already published papers and mcg-talk discussions speak of the various development fronts where new ground must be broken into.
However, to the user, such developments are of little value. The technical details are not important to users and certainly utterly beyond their average field of work -- however, they need to be trusted by the users. And such trust will be built by full publication of all source-code -- which will allow the public to eventually perceive that the protocols have nothing to hide and that they work fine. In the same way that a plane's pilot can trust the plane's inertial navigation system defined by laser gyroscopes, also when it is foggy at night -- because they have proved they have nothing to hide and they work fine. Even though neither the passengers nor the plane's pilot may have any idea how a laser works and how laser light can measure rotation without an external reference (and, to really understand all the reasons behind laser gyroscopes and inertial navigation would most surely require a Ph.D.).
This series, however, will "open the hood" and allow an inside view of intrinsic certification requirements and principles.
The next message will deal with capital questions and answers -- looking into the following two main problems, as I define them:
A. The NPR Certification Problem:
(to be continued in the next message, Part II)