Date: Sun, 22 Nov 1998 02:56:00 -0200 (EDT) From: "416720" To: MCG Subject: [MCG] Risk vis-a-vis Trust List: Studies [Ger98a, McK96] have shown in several ways and in several fields of work (Internet security, control theory, linguistics, law, social, commerce, business management, etc.), that both the concepts of trust and risk are necessary when dealing with human-human, human-machine and machine-machine interactions. Further, a formal theory of trust [cf. reported in Ger98a] shows that risk can be subsummed under trust, in an unified treatment. This is not a philosophical question and shows that much of the current security design is at fault, specially those that may derive from publicly expressed opinion such as Dan Geer's to the effect that one only needs to consider risk and entirely forget about trust. But, this is a discussion which must also involve the Internet community at large and include engineers, lawyers, governments, etc. So, it is one in which the arguments must be conducted in a language which a general audience understands, even if it is not always technically accurate and often over-simplified. In this spirit, I would like to provide a clear class of counterexamples to the notion that trust is a superfluous concept and that Internet security and e-commerce can be based only on risk management criteria. But, before, I presume we all know on what this issue hinges, and that is to be found outside the drawing board. To be specific, several "market forces". I will cite a few, collected in private exchanges and public documents. First, one has to watch out for those CAs and security analists which defend that CAs, in order to serve as introducers, may legally deny one's right to define one's own protocols for validity and use of materials, once the CA's grant of authorization is removed -- in the name of less risk. For example: some CAs say you must agree not to use the cert once it is expired, you can use it only during subscription. Or more strongly, any private key, certified by a CA via its signing of the public key, is then "controlled" by the authorization grant attached to the certificate. That is, you agree not to use your private key once the cert expires -- in the name of less risk. Many of these matters fall apart under analysis of the trust questions involved -- who is trusted for what? -- and may be shown to be unworkable if so contrived. For example, the legal need to provide proof of signature during a period of several years versus a cert lifetime of usually one year [Ger98b]. Or, the technical need to use an expired but valid cert in order to authenticate a new cert [Ger97]. But, they represent the tendency to  impose mandatory third-party rule systems -- in the (respected) name of quality,  but in reality to engineer social acceptance of key escrow and covert surveillance of anyone's public communications at any time by having an automatic authorization system governing use enforced via certs and conforming end-systems. It's also a push for notaries. They get to sell repeating-continuing validity services forever; a kind of, well you had your validation attested to for that important document for the last 10 years, building up lots of value in that document, now if you lapse your notarization-renewal, its entire evidentiary value is all lost, its entire reliability goes to zero -- as well as the insurance that covers the risk. All or nothing...because risk has no memory -- while trust has memory, learning and may even improve security with time. Time -- the "forgotten" factor of such "analysis" that favors risk in lieu of trust. Perhaps, because risk has no memory that may cause revenues to decrease in time; risk must actually increase with time for a given cert. But time is not so much forgotten, since time offers another avenue for profit, as some even publicly defend. They want to sell certificate issuance services with their right hand and certificate validation services with their left hand -- in the name of less risk. The business-model justification for this is that "CAs must build CRL- publishing (or rather on-line status-check) capacity without getting paid for it" -- but this forgets CAs were already paid for by the issuance fee, albeit only from the subscribers. In effect, CAs must increase certificate prices when they become popular and people start to use and depend on them. The CA time bomb I mentioned last year [Ger97] -- lack of scale in time and space. A dynamic "solution" is then to charge certificate-holders on a subscription-basis for usage but that will be extremely impopular because it is really the certificate-relying parties that force one to use certificates, so it is not comparable to telephone bills where you hopefully immediately benefit from the service. What I further see in this is then the vested interest of promoters of paid-for CA directory service that wish to win on both ends: from subscribers and from the subscriber's clients. Which vested interest seriously taints any worldview that might be a really useful outcome of such discussions. Such as already mentioned, that want to further subdivide the market into Certification Authorities for issuance and Revoking Authorities for revocation -- so they can further win on those other two ends. The next question is: how many ends can greed still create out a public need? We already have four. The other question is: how many devious argument lines can an Internet security analist defend, before it becomes evident that there are strong conflicting interests behind his logical flaws? Of course, none of the companies involved work on charity basis and all wish to make profit. The question is how. Netizens have not been very eager to pay for services in the web, which shows that such "services" as I briefly commented above would soon disappear as it becomes more and more evident that, freely and without "pay per service", anyone can issue, verify and revoke digital certs, anyone can verify identities, anyone can identify and anyone can manage their own trust in others -- BTW, the only trust one may hope to manage is one's own. Now, to the counterexample class. As already given, it is based on time, the "forgotten" factor. Risk usually increases with time for a given cert, and thus decreases its reliability -- which is used under exclusive risk management terms to declare increasing restrictions on its usefulness, mandate validation costs and define higher insurance costs. However, trust coherence [Ger98c] usually increases with time [Ger98a], which increases its accuracy components -- even though its reliability components (which correlate with the inverse of risk) decrease with time. The overall effect is that a learning process sets in, so that the parties in a dialogue no longer depend on the initial trust and risk that allowed the dialogue to begin, but can rely upon self-developed and intrinsic trust values. Of course, this is only valid when trust is understood as qualified reliance on received information, based on continuously updated values for performance, accuracy, reliability and other criteria -- "trust, but verify". As pointed out by Tony Bartoletti in a public trust-ref list discussion, it is however common to treat trust as an independent quantity that "can be extended" to others (wisely or not) at will. Indeed, "trust" is often used almost synonymously with "license" -- but in such cases there is no learning effect possible, no increase of trust coherence with time. Why? Because trust is then already a "collective coherent agreement" that is just there as "objective trust" [Ger98a] -- like the objective trust we have in gold as a highly-valued commodity. But, subjective trust (i.e., what I have been calling simply trust, above) is also what lies at the heart of such granted "licenses" [Ger98a]. Trust in all its aspects is thus not the "key" to security -- but the assessment whether the "key" works as accurately and reliably as desired for the risk/cost factors at hand. To conclude, that is why I am inviting a revisitation of these concepts. To take away the smoke and mirrors and see what we have left, face to face. Over risk, cost, time and trust. All, needed factors. Cheers, Ed Gerck =============================================== References: [Ger97] Gerck, E., "Overview of Certification Systems: X.509, CA, PGP and SKIP", in http://mcwg.org/mcg-mirror/certover.pdf [Ger98a] Gerck, E., "Towards Real-World Models of Trust: Reliance on Received Information", in http://mcwg.org/mcg-mirror/trustdef.htm [Ger98b] Gerck, E., "Must e-commerce deals expire with certs?", in http://mcwg.org/mcg-mirror/ecom.txt [Ger98c] Gerck, E., "What is identification, that we can identify it?", in http://mcwg.org/mcg-mirror/coherence.txt [Ger98d] Gerck, E., "What is identification, that we can identify it?, Part II", in http://mcwg.org/mcg-mirror/coherence2.txt [McK96] McKnight, D. Harrison and Chervany, Norman L., "The Meanings of Trust", in http://www.misrc.umn.edu/wpaper/wp96-04.htm ______________________________________________________________________ Dr.rer.nat. E. Gerck egerck@mcwg http://mcwg