From owner-mcg-talk Sun Jan 25 13:16:23 1998 Received: (from majordom@localhost) by localhost (8.8.7/8.8.7) id NAA17701 for mcg-talk-outgoing; Sun, 25 Jan 1998 13:14:26 -0200 Message-Id: <199801251514.NAA17701@localhost> Date: Sun, 25 Jan 1998 13:14:23 -0200 (EDT) From: "416720" To: MCG Subject: [MCG] Re: Towards a real-world model of trust (fwd) Sender: owner-mcg-talk@mcwg Status: RO X-Status: List: The dialogue below was off-list, but touches upon the subjects being discussed and so I am forwarding it to you. Therefore, it can also be easily referenced in the future, through the WWW list gateway archive at the MCG (see the Home-Page link, in the navigator menu). I will be forwarding any such dialogues I find interesting, from discussions in other forums, for the same reference and archival purposes. My apologies to those who also participate in other lists and may get such material twice, but we will have the benefit of a more unified research material. Cheers, Ed ---------- Forwarded message ---------- Date: Sun, 25 Jan 1998 13:04:35 -0200 (EDT) From: Ed Gerck Subject: Re: Towards a real-world model of trust On Sat, 24 Jan 1998, [private] wrote -> Ed, -> -> Interesting analogy about information being what you don't know and -> trust being what you already know. I agree. Thank you. I must however "warn" about taking too literally the declaration that "information is what you don't know and trust is what you know". I wrote that "loosely speaking" as its written in the posting -- with the objective of providing a working picture. It is instructive to see the problems that may surface from such a simplified view. I quote below some paragraphs from the paper at http://mcwg.org/mcg-mirror/cie.htm where an important distinction was also made between "belief" and "trust" -- which shows that it is not possible to model "trust" by things like Dampster-Schafer theory (belief and trust being different concepts, however both equally useful and needed): ****************** BEGIN OF QUOTE *********** "Now, it is important to note that information, or the amount of information, depends only on the message uncertainty, rather than on its actual content, possible interpretation or, even if it is already known or not to the party. So, the phrase "information received by a party is that what the party does not expect" does not mean that the party does not believe or has no knowledge about the content of the message. For example, the message "name N has public-key K" may carry information to a party even if the party knows with certainty that N has public-key K, as given in a large directory of names and public-keys, because after the message the party knows that the other party also has the same data. Further, the message "45AB65", which has no meaning for a receiving party, may still carry information because after the message the party knows that there is another party on the communication channel. Thus, we must next allow for a classification of the message's content, because if the message carries information then we may act differently whether we believe on this information or not. In relationship to the information received by a party in a dialogue, we will use the words "assumption" or "knowledge" in order to classify the message's content in relationship to the degree of belief that the receiving party assigns to it: assumption: the message has a degree of belief that is not acceptable to the party. knowledge: the message has a degree of belief that is acceptable to the party. Note that such classification does not depend on trust but, rather, on a quantitative degree of belief similar to the belief function of Dempster-Schafer [DS97], which will be defined here as: belief: the probability that the evidence supports the claim. For example, the message "name N has public-key K" may be an assumption even if the party has that entry in a directory, because he does not know if N changed her public-key K after that directory entry was entered and so has no evidence to support the claim -- which leads to zero belief. But, if the message "name N has public-key K" is the correct decryption from a message, using the public-key K, then that message conveys knowledge (within cryptographic limits of near 100% belief) that the other party has the corresponding private-key K' and an assumption that the other party is N (because there is no evidence that K' is in the possession of N, which leads to zero belief). " ************************ END OF QUOTE ************* The section thus made clear the distinctions between knowledge, belief and trust, although without defining trust yet -- which was done in my last posting (7 months later) after I was satisfied with the usefullness and coherency of the proposed definition of trust. -> -> The big question I have is how do you acquire trust knowledge from -> within the "critical radius of trust"? In a forthcoming paper, "Generalized Certification Theory", this question is split in its syntatic and semantic parts. I will discuss briefly here the semantic part, which is closer to the arguments at hand -- on trust. -> I assume the risk and cost -> values of the information are sufficiently low when acquiring trust -> information from within your acceptable "radius of trust". But still, -> how do you reduce those values to near 0 and move from "soft trust" to -> near "hard trust", with a value sufficiently low to make an initial -> reliance decision? Clearly, after having relied on the information -> with positive experiences, the risk numbers decrease substantially. -> Then with repeated positive experiences, combined with assurance of a -> continued "vested interest" (my term) by the party requesting to be -> trusted, the relying party can establish hard trust over time. But how -> does one "harden" trust sufficiently to become comfortable with their -> first reliance decision? Well, first it is important to note that "hard-trust" is only applicable to self-trust because self-trust is untainted by information. That's why the posting's title was "Towards a real-world model of trust" -- which has two sides: 1. The model of trust or what should we understand by the word "trust", 2. The trust models we can use which will allow us to represent our understanding of the word "trust" ***as defined in (1) above***. These are two entirely different sides. Let's see them one at a time: 1. THE MODEL OF TRUST "trust": that which is essential to a communication channel but which cannot be transferred from a source to a destination using that channel. Here, it is important to recognize the linguistic value of such definition, or, "is it really what we would use the word trust for, in some circunstances, or should we use something else as a name for the definition?" Clearly, we would not (as cited above) use the words: assumption, knowledge, belief or information. As to the word trust itself, it was chosen exactly on semantic grounds for the English language. Linguistically, "Trust" is akin to "true" and "faithful", with a usual first dictionary meaning of "1 a : assured reliance on the character, ability, strength, or truth of someone or =something b : one in which confidence is placed." So, in common English usage trust is what you place your confidence in or, expect to be truthful. Thus, the definition of "trust" given here -- albeit technically directed to the terminology of the GCT paper and IT -- has a strong resemblance to its everyday use. ----> NOTE: from here onwards, when we read trust we must mean what is defined in the GCT paper and IT terms (the question whether such a definition is appropriate is now left behind; let's see where it leads us to). 2. THE TRUST MODELS They are: hard-trust and soft-trust. Hard-trust does not allow trust to be transfered because (t=0, d=0, s=0, T <>0,...). Thus, if you could keep trust untainted by information then everything would be fine -- as hard-trust -- however, that would be death, isolation. The concept of hard-trust is only useful for self-trust, isolated trust. Now, if you want to communicate, then entropy must also enter the picture here. The basic IT theorems on communication still hold! You must allow risk to raise its ugly head, counterpoint it with cost and define a soft-trust model that warrants a critical radius of trust which is adequate in space and **time** to your needs, regarding the different entropy generators you admit in your threat model. So, this is not anymore guess-work or black art but can now be estimated and designed. Truly, other layers such as the laws of Birmania must be taken in ... but only *after* the IT trust layer is designed and insofar as you want to sell to Birmania... To allow such design, the concept of "soft-trust" was postulated as an operator parametrized by (t,d,s,T,...). This has several consequences that bear directly on the semantic side of your question, which is basically how soft-trust allows trust to be acquired within the critical radius of trust. This requires several steps. The first step, though, is to recognize that soft-trust relates to real-world situations -- where trust is indeed transfered. How? As another comentator wrote, to my same posting: > (I "trust" my sister is a good driver, and my best friend "trusts" my > opinions on such matters, so he may lend his car to my sister because > he "trusts" she will not wreck it. People commonly use the word trust > in this sense, and so claims of a degree of transitivity follow. > Granted this is not trust in any rigorous sense.) > Yes, it is not, but the soft-trust model allows for the mathematics to mimick such behavior (here, I am also thinking in terms of non-numeric mathematics) in a controlled environment. Another example on the same line of reasoning for real-world situations but this time with partial symmetry (which also does not exist for hard-trust), is when a coach tells his athletes that he trusts them -- which creates in the athletes a compulsion to also trust the coach. So, action in one way has induced a behavior in the other way in the real-world, and we could be using soft-trust to represent such "real-world" trust interactions in order to reflect them in our Internet world interactions. Then, we can allow trust (again, the GCT definition) to be transfered, increased or decreased -- all as a function of risk and cost, modelling trust as soft-trust with (t<>0,d<>0,s<>0,T<>0...). The mathematics of such interactions is being revised to be presented, but the non-numerical mathematics given above may provide an even better foundation for the intelectual understanding of these concepts. A note on non-numerical mathematics: non-numerical mathematics is the foundation of mathematics. For example, before we can count, we must grasp the notion of comparing sets and of enumeration. An ileterate shepherd is able to "count" his sheep by comparing how many sheeps he can see, with notches on his staff. Thus, I prefer to use non-numerical mathematics to convey the broad foundations of the thought process, while mathematics can be useful to convey one instance of it. Cheers, Ed ______________________________________________________________________ Dr.rer.nat. E. Gerck egerck@mcwg http://mcwg