Trust is not:
Trust values: Trust has a minimum of three possible values:
+, 0 and -
1997 note: This is a work document for open peer-review and public discussion. It may change frequently.
|
|
2004 Foreword: Trust is the problem. Understanding human trust is exactly what brought me to that great IT question in 1997: how can I trust a set of bytes? My answer, given in this original paper draft, provided a framework that has been useful in the field of information security. The answer also provides a framework for understanding human trust (as expected fulfillment of behavior) and bridging trust between humans and machines (as qualified information based on factors independent of that information).
Trust is essentially communicable. But trust, as qualified reliance on information, needs multiple, independent channels to be communicated. If we have two entities (e.g., a client and server) talking to one another, we have only one channel of communication. Clearly, we need more than two entities. It seems unreasonable to require a hundred entities. The answer, looking into millennia of human uses of trust, is that we need at least four parties to induce trust (i.e., to communicate trust ab initio): the two parties in a dialogue, at least one trusted introducer and at least one trusted witness. Trusted introducers and trusted witnesses allow you to build two open-ended trust chains for every action, the witness chain providing the assurances ("how did we get here?") that led to action (including the action itself) while the introducer chain ("where do we go from here?") provides the assurances both for a continuation of that action and for other actions that may need assurances stemming from it. I call this principle the Trust Induction Principle: to induce trust, every action needs both a trusted introducer and a trusted witness. Please google for "gerck trust" to find newer papers, applications and also comments by others.
To the weary reader: The bottom line: Trust in cyberspace (e.g., between machines) is defined and is based on the same notion of trust, as a form of reliance, that we have been using for millennia between humans and in business. Using Information Theory terminology, this paper defines this notion of trust as: "Trust is that which is essential to a communication channel but cannot be transferred from a source to a destination using that channel." Why is this important? Why would you need to ever use the concept of trust in communications? Because you cannot always directly measure, feedback and control everything that may affect your communications. In the Internet, for example, you cannnot control both sides of a communication channel. You need to use trust (and use trust well!) when it is not possible, or it is not convenient, to apply the laws of control with their specific requirements for measurement, feedback, processing and channel capacity. Moreover, the trust solution is not some form of "hope all is well". The trust solution is mathematically defined and embodies laws of trust that are exemplified for open-loop control in communications, Internet security applications, and human-human, human-machine, machine-machine dialogue.
This work presents a formal and abstract definition of trust which allows any number of explicit trust definitions to be derived for different application areas, such as communication systems, digital certificates, cryptography, law, linguistics, social sciences, commerce and day-to-day living -- providing mutually compatible and useful real-world trust models or trust instances. The paper presents more than thirty of such equivalent instances, and discusses their general formation rule for qualitative as well as quantitative uses of the concept of trust. The paper also compares and contrasts trust with auditing, power, belief functions, probabilistic models in the frequency and the bayesian interpretations, fuzzy logic concepts, surveillance, open-loop control, risk, insurance, information, meaning, accountability, reasonable reliance, justified reliance etc. From the discussion, trust emerges as the mathematics of subjective certainty and precision -- a concept to be further developed in the context of non-boolean logic over a multivector space in Grassmann Algebra.
Note 3: The abstract trust definition presented here is a single, implicit formal definition that depends neither on instances nor on observers. The concrete realizations of trust in real-world usage built using the abstract definition, however, can depend on references and may have many representations, as discussed.
Note 4: The terminology "real-world models of trust" is used for all particular instances that are derived from the abstract trust definition, as representations of it, and which apply to the real-world -- including the so-called virtual reality or cyberspace.
Note 5: A Summary is available at the end of the paper.
This paper will initially focus on the subject of trust in communication systems -- specially the Internet -- which will allow us to view trust within the broad picture of information exchange and follow Shannon's ideas as closely as we can, building a base and a unifying concept for all other uses of the concept of trust, even in other areas besides communication systems and Internet certification protocols. In fact, if there is information being sent or received whatsoever the medium (e.g., by TCP/IP Internet protocol, by fax, by written messages, by oral messages, by body language, by field measurements, etc.), whatsoever the communicating parties in any combination (e.g., persons, cybernetic agents, software, hardware, etc.), the formalism here described is general enough to be applied. Communication systems are thus a very intuitive framework and we can relate several examples to day-to-day experience and humanistic sciences -- as we investigate the abstract idea of trust and proceed to model it out of the "common denominator "of all its real-world molds, targeting a hopefully useful conceptualization of trust.
The first subject is on "modeling of trust" and not on "trust modeling" -- the second being derived from the first. What I am saying is that we must first define and understand what trust is (and, possibly, is not) in the context of communication systems before we go into cryptographic algorithms and message protocols -- which can serve well either to be a means of conveying said understanding or, of obfuscating said ignorance!
For example, today's Internet certification protocols such as X.509, PGP and others, take a leap of ignorance on what trust is and start by defining means to convey it. Such attitude is not even empirical, it is indeed arbitrary. To justify this leap of ignorance, standards such as X.509 have statements to the effect that "... such will be defined in the CPS, which is not a part of this document." -- as if assumptions could be defined after the theorems that use them.
This is important for three main reasons:
"Trust is that which is essential to a communication channel but cannot be transferred from a source to a destination using that channel."
We cannot use the same channel for both the information and the trust for that information, neither sending nor receiving. A decision to trust a set of bytes (such as someone's name, a source of a communication, a name on a certificate, a digital signature, or an electronic record) must be based on factors outside the assertion of trustworthiness that is contained in that same set of bytes. Likewise, a decision to trust someone must be based on factors outside the assertion of trustworthiness that the person makes for himself.
So how does the trust model work? -- This is the wrong question to ask here! The real question is: "What trust model would you like to use?" There is a built-in notion of the meta-rules (given by the trust definition), that any trust model has to follow, but I might buy a trust model from someone and add that model, design my own model, or even augment a model that I bought. Different trust models can be used as long as they conform to the given trust definition.
The problem today is, thus, basic: lack of understanding of trust's truth conditions cannot allow trust's truth-values to be well-defined, try as we may. And, such confusion is not a prerogative of today's Internet security protocols, as McKnight and Chervany show in their extensive study on the meanings of trust [McK96] in several other areas. It exists in all other areas where the concept of trust is used, such as in management, interpersonal relationships, business relationships, security policies, etc. And, cannot be solved by just positing a behavior for trust -- since trust is a fundamental concept both used and useful in the real-world as we can see by its widespread application in all cultures and respective law systems.
While the paper oftentimes uses humans to exemplify
notions of trust, it is not relevant if there is, or there is not, a human
in control of an end point, a machine or some software. It can very
well be another machine. Trust is defined in such a way that its usefulness
is no longer limited to human communication.
Now, in the Internet world, we have come to a standoff: either we develop a real-world model of trust or we cannot continue to deal with limited and faulty-ridden trust models that treat trust artificially and objectively, as the Internet expands from a parochial to a planetary network for e-commerce, EDI, communication, etc. We must be able to fully handle trust and all its subjective and intersubjective aspects.
And, what would be a "real-world model of trust" for communication systems, e.g. the Internet world? Akin to Information Theory, the concept of trust in communication systems must have nothing to do with friendship, acquaintances, employee-employer relationships, loyalty, betrayal and other overly-variable concepts. Here, trust is not to be taken in the purely subjective sense either, nor as a feeling or something purely personal or psychological -- trust is to be understood as something potentially communicable. Further, if trust must bridge different instances and observers, otherwise communication would be isolated in domains, then all different subjective and intersubjective realizations of trust must depend on some common, basic and abstract idea -- an archetype in some terminologies. As used in the context of Generalized Certification Theory [Ger98a] trust is, simply:
"trust is that which is essential to a communication channel but cannot be transferred from a source to a destination using that channel".
This is a formal and abstract definition of trust. It defines trust by the properties it obeys, without citing any context, without even providing an example we could denote -- it does not provide a value, only behavior. Thus, the given definition achieves the broadest possible conceptualization of trust, since it is both environment-invariant and observer-invariant (environment and observers are abstract). But, we expect it to contain the seed-thought or root-idea of trust. In other words, we expect it to contain trust's implicit truth conditions for any explicit trust application we may need, from the social scenario to automatic communication processes. This should afford an unified "gist" of trust to be perceived in all applications -- which we also expect to be close to the real-world gist of trust.
As a better approximation to the definition that "trust is what you know" in the anthropomorphic metaphor, consider that "trust is what you know you know you know" -- i.e., the lamb not only needs to know (i.e., be aware of, can spontaneously recall) that it knows the lion is not hungry but must also be able to know how to act upon that knowledge. At the human instance, this means that you cannot use your 'prior knowledge' (i.e., what you know you know) in order to do anything, unless you also know about the applicability of that 'knowledge'. The extension to software agents is immediate; for example a trusted mobile agent may not be trusted as a function of changes in its operating platform (the pragmatics used) -- even though the platform itself may be secure and expressible enough -- if you have no evidence of that.
Trust and information are to be understood thus as two cardinal properties of communication systems -- their interplay affording new modes of communication (to be dealt with elsewhere), for example allowing meaning (semantics in semiotics) to be relinked with names (syntatics in semiotics) at the receiver side [see [A.4.3].
To proceed, we can now specify the reliance metric and its applicability. First, I note:
(i) "that which an observer knows and can rely upon to some extent" can be modeled in Information Theory as an estimator with variance as small as desired, which estimator by an observer (quasi-zero variance), that has measured the expected unsupervised behavior (i.e., unsupervised by the observer) of an entity and,
The next explicit definition is thus "trust is that which an observer has estimated with quasi-zero variance at time T, about an entity's (unsupervised) behavior on matters of x". Note that the word "estimated" does not mean probabilistically, but is linked to any estimation or inference process in general -- such as by using inference, deduction, computability, probabilistic theories, constraints, etc., and also in combination. Hence, an observer can rely upon an estimator that it has obtained in the past in order to predict future unsupervised behavior of the entity regarding matters of x -- because the estimator has an expected quasi-zero variance.
Thus, trust can be described by a "Non-Probabilistic Inference Model of Trust" (NPIMT). Of course, "non-probabilistic" does not mean that probability is not used in the trust model -- as explained above.
The underlying concept of this model of trust is that of justification. It is not essential to this model of trust whether a natural or logical connection exists between trust and justification. Of course, the use of probability or deductive-logic may serve to raise the level of justification for a subject matter, when compared to a natural connection that is simply observed.
Justification defines the context of trust for the truster. In other words, justification defines the context of a relying party's (RP's) reliance [9]. It's easy to say that a truster's justification of trust, or a RP's justification of reliance, is a matter of need. But this is not quantitative. If we are to make some progress in this, we need to define those needs as degrees or levels -- i.e., in terms that we can identify their differences and their required trust models. Thus, it all hinges on the definition for justification, as a metric function that decides what is justified and what is not. Which definition can be changed as needed, even for the same person in the same trust act (this might sound strange but is very much needed as we usually deal with more than one person/company at a time even for one transaction --e.g., buying, paying, delivery, maintenance, etc.). All these definitions, however, must interwork in terms of meaning. It is not enough that they interoperate syntactically.
I now introduce the concept of "best justification" as that justification level which leaves the truster with no doubts. This is consistent with the idea that trust (or distrust) is always 100%, what changes in value is the extent of trust that is chosen by the truster. Likewise, the extent of the doubts that must be satisfied in "best justification " is chosen by the truster.
To simplify, let us begin with the following five reliance levels, from
weaker to stronger, for a truster (or RP):
(0) What the truster relies upon without any consideration of "why" and without any recourse. It is a subjective metric, here called "open reliance".Another example might be what a fair random process might choose, given all possibilities. This is an objective metric, here called "statistical reliance", similar to the same concept in law, used in lotteries, auditing and some payment systems for example. Yet another example might be what has been verified with some chosen technology, but only automatically. This is an objective metric, here called "process reliance", and can be useful for security-automated processes.(1) What the truster relies upon without any consideration of "why". It is a subjective metric, also called "actual reliance", similar to the same concept in law.
(2) What the truster relies upon because it is presented by a party accepted by the truster for that purpose. It is a intersubjective metric, usually called "authorization reliance", similar to the same concept in law.
(3) What the truster as a reasonable man might do, with all prudence that might be reasonable to use. It is an objective metric, also called "reasonable reliance", similar to the same concept in case law which establishes it as an objective test given by "what would be reasonable for a prudent man to do under the circumstances".
(4) What can be justified by the truster after an examination of the facts presented. It is a subjective metric, also called "justified reliance", similar to the same concept in law.
- "trust-point": matters of x, for a given entity and epoch.
- "trust": (noun) a linked collective of trust-points
- "to trust": (verb) to rely on trust
- "A trusts B on matters of x at epoch T": a boolean trust-proposition, which is either true or false.
Now, I note that "to rely" is an essential aspect of trust as a verb, since A cannot trust B on matters of x at epoch T unless A actively relies on that trust-point. I also note that when the definition says that "to trust" is "to rely on trust" this does not imply circularity because "trust" is used as a previously and independently defined noun in order to define the verb "to trust". Further, to compare with matters of law, the usual legal concept of "reasonable reliance" is understood [SCUS] to be an objective legal standard for collective evaluations (such as by a jury) while "justified reliance" is understood [SCUS] to bea subjective legal standard more generally acceptable for evaluating individual actions -- which makes "subjective reliance" in law very similar to the concept of trust based on the metric of best justification, as given above.
Which means that trust is not auditing -- trust is that which can be relied upon without surveillance by the observer (possibly because it cannot be measured due to physical, secrecy, cost, time or other difficulties). It is also possible for the observer to indirectly and anonymously gather sufficient information to define a suitable estimator for the entity's behavior on matters of x, without any contact with the entity itself --as when using a trusted proxy (which, however, depends on a primary trust relationship with the proxy). Further, the observer can also use the measured estimator at time T to analyze past behavior of the entity (i.e., before time T). So, the estimator can be seen as a quantitative forward- and backward-predictor for the acts of an entity regarding matters of x, when that entity is not supervised by the observer.
The next three paragraphs touch upon a large difference between the technical use of "trust" (as defined) and "trust" in the social and linguistic domains. The difference is not on the meanings of trust, which remain equivalent also with the considerations below, but how to represent different degrees and extent of trust. The exposition presents a method (based on full atomic qualification) which is precise and compact, well suited both for technical as well as for non-technical use -- however, perhaps too formal for every-day use. As the second paragraph shows, such "poetic" and "every-day" use of trust also wrongly permeates security work or communication protocols -- rendering trust concepts difficult to use, because ill-defined. This may explain trust's "bad name" as a difficult concept, perhaps even as an overly-loaded terminology. The problem is not however in the concept of "trust" by itself, but in using wrong trust quantifiers. The third paragraph extends the method (i.e., based on full atomic qualification) to the questions of defined versus undefined trust, allowing indeterminacies to be resolved in a simple and intuitive way.
To represent degrees of trust, the estimator's (quasi-zero) variance is not allowed to change, because such would not be a useful model (see next paragraph). Rather, without loss of generality, the estimator is kept at quasi-zero variance but its reach (e.g., as given by matters of x) is increased to reflect a higher degree or decreased to reflect a lower degree of trust. This is similar to the mathematical procedure of finding an area under a curve that represents near 100% reliance (i.e., quasi-zero variance) on matters of x. In other words, we regard the issues of reliability and accuracy as two fully independent variables: (i) high-reliability is demanded as the primary parameter and is reflected in the estimator's quasi-zero variance or high-reliance, (ii) accuracy is measured by the extent of "matters of x" that still allows high-reliability. Thus, if the observer has no trust on the observed entity, then x is the empty set (i.e., 100% reliance on nothing represents zero area under the curve -- or, no trust). As the observer increases its degree of trust on the entity, then the estimator becomes more and more complex and represents an enlarged set of matters of x for which the entity can be represented with quasi-zero variance (i.e., with near 100% reliance) -- i.e., achieving more accuracy for the predictions, but without sacrificing reliability. This means that trust can also be defined explicitly by "trust is that which an observer has estimated with high-reliance at epoch T, about an entity's (unsupervised) behavior on matters of x".
Oftentimes, some trust models, risk management policies and security policies try to qualify degrees of trust with concepts such as "partial trust", "marginal trust", "fully trusted", or by defining multi-level logic with rules for majority voting and precedence. That is done to try to convey the idea of how well can "trust be trusted" -- which easily leads to circular truth conditions and undefined statements. For example, does "partial trust" mean increased unreliance on the expected outcome, on the expected model for all possible oucomes or a reduction on the model's scope? Partial in relationship to what? Thus, such trust "qualifiers" are unable to address atomic qualities in the trust concept and just operate, at most, as a collective qualitative indicator from that particular observer's viewpoint. The author takes the stance that no qualifiers whatsoever (i.e., partial, marginal, complete, bad, good, large, small, minimum, maximum, etc.) should be used with the word trust because they are neither well-defined, quantitative nor needed. Further, they introduce an additional layer of intersubjective concepts and they decrease the semantic importance of the word trust itself. Instead, it is better to recognize that the concept of trust has already by itself such qualifiers "built-in" in its own qualifier "matters of x" -- which can however include the atomic qualities which are unaddressable from without. To exemplify, compare the phrase "Bob has partial trust that Alice will not receive a ticket for speeding" with "Bob trusts Alice on matters of x", where "matters of x" is "Alice may receive tickets for speeding". The same thought is expressed in both phrases but the last phrase allows a precise answer to the question "What is trusted?" and can thus be directly applied in appropriate predicate calculus. The last phrase can also easily lead to a quantitative and atomic treatment, when Bob has more knowledge on Alice's behavior and may be able to define "matters of x" as "Alice receives tickets for speeding with a 10% chance every time she drives at night, with a +-5% absolute variance". It is not necessary either to define distrust or lack of trust, because distrust is simply the atomic negation of a particular matter of trust, which can be as extensively negated as we need, e.g. in "Bob trusts Alice on matters of x" where x is the null set -- so that effectively Bob trusts Alice on nothing. However, trust can be negative as when you affirm that you trust someone to be untrustworthy. Further considerations on these issues are given below and in the discussion on matters of x.
Still on the question of degrees of trust, it is also customary to discuss "unqualified trust" versus "qualified trust" -- with expressions such as "Alice trusts Bob" being "unqualified trust". This paper takes the stance that such expressions are dubious, are not necessary and should not be used in technical work (albeit possibly useful in poetry) -- for example, in "Alice trusts Bob" is "matters of x" unknown, abstractly defined by Alice or, is x the Universe set? As explained in the former paragraph, the built-in qualifier "matters of x" has to be recognized and its truth-value must be defined in the trust proposition -- e.g., by defining "x" in "Alice trusts Bob on matters of x". Thus, if one means that Alice trusts Bob on all matters then this can be expressed by using "x=U", where U is the Universe set. Or, if one means that its value is abstractly defined by Alice then one uses "x=Alice" and this means that Alice defines what Alice trusts on Bob. If "matters of x" is unknown then one uses "x=0" where "0" is the null set -- i.e., trust on the unknown has a null set of trusted matters. This standard usage allows a precise statement of the trust proposition, clearly a need for precise calculations, which is natural and easy to define in the presented formalism. As a special case, it is however useful to define that "Alice trusts Bob" necessarily means the case with x=U -- which matches the intransitive usage of the verb trust, as "In God we trust". Thus, without a "matter of x" qualifier, an unambiguous and intuitive use of the trust proposition "A trusts B" should imply that the qualifier x must be equal to the Universe set.
It is instructive to view trust as an open-loop control process, in control theory terminology -- i.e., a control process which does not rely on a closed feedback loop in order to achieve its purposes. This comparison allows one to recall the advantages and disadvantages of open-loop control (e.g., trust) vis-a-vis closed-loop control (e.g., close surveillance) and apply them to the case at hand. In control theory, the basic parameter to measure performance is position-error -- which translates here to to the trustee's actual response as compared to its expected or estimated (i.e., trusted) response. In open loop-control, one method frequently used to decrease position-error is to introduce periodic checks of any convenient system variable, not necessarily the control variable. This is equivalent to the well-known dictum: "trust but verify" -- implying the need for a pre-defined policy of checks and balances that can periodically adjust the trust estimator as a function of observed behavior. Further interesting qualities of trust over close surveillance can be exemplified by the mentioned control theory analogy, regarding the main advantages of open-loop control over closed-loop control: simpler systems (hence, less cost and better fault-tolerance), immediate response (i.e., nothing needs to be measured in order for it to operate), easier design (e.g., avoiding probable but unknown pitfalls of complex designs), easier interfacing (i.e., suffers and exerts less influence on the rest of the system), modular design (i.e., complete and interchangeable), cheaper, etc. Thus, trust can also be explicitly defined as "trust is an open-loop control process of an entity's response on matters of x" or, less precisely but more concisely, also as "trust is to rely upon actions at a distance".
Trust on an entity cannot be viewed as a consequence of insurance or, as often wrongly expressed "It's not about who you trust, but who backs and indemnifies the context of the trust" . The use of insurance always signals lack of knowledge -- so, clearly, it cannot replace it, it cannot replace trust. Further, there is no insurance needed for a sure event and there is no insurance possible for a sure risk. To exemplify another problem caused by such understanding, if a truster (e.g., a CA subscriber that trusts the CA) is going to for pay insurance to cover his liabilities and the trustee's (e.g., CA's liabilities) -- which is what it would amount to if trust would be based on insurance because the bill has to end somewhere -- then responsibility has gone full-circle and is now only in the truster's hands -- both to get adequate coverage and to pay for it. While the trustee (e.g., the CA) has zero risk. However, that does not solve the risk problem for the truster either, if the trustee's acts may afect third-parties -- such as when a CA's (i.e., the trustee's) certificate is issued for a CA subscriber (i.e., the truster) but will be actually used by a generic user (i.e., a third-party) to certify the subscriber. Here, one cannot make the whole world sign up one huge insurance policy -- so the truster and the trustee may be protected by the insurance policy that the truster has bought with their names as beneficiaries but that does not protect a generic third-party (ie, the rest of the world) that may rely upon the trustee's acts on behalf of the truster (e.g., the certificate issued by the CA and purportedly including the intended subscriber's correct data).
Trust is not to be confused with accountability -- as sometimes expressed: "for e-commerce, trust is pretty well irrelevant and what you need is accountability". Indeed, the interplay between trust and accountability is sometimes difficult to delineate. But, here, logic can help. Suppose you have the information that A is accountable on matters of x. Can this information be trusted? So, trust is the vehicle, the carrier for accountability.
Trust is not belief but may be expressed in terms of belief. As one can derive from the work of Dempster and Shafer [DS97], [Ger97], "belief is the probability that the evidence supports the claim". Thus, belief can indeed be used to gauge reliance on a trust-point, i.e., to verify if "matters of x" really represents "well enough" the entity's actual behavior vis-a-vis the evidence. If one uses the concept of belief, then trust can be defined by "trust is received information which has a degree of belief that is acceptable to an observer" -- which is linked to the concept of local knowledge in [Ger97], hence "trust is knowledge acceptable by an observer".
Trust is not probability, neither in frequency nor in bayesian interpretation, but may be expressed in terms of probability in either case. The frequency interpretation suffers from the "objective" aspect it assigns to probability and from a strong dependence on past events -- while trust is subjective and may suffer an abrupt transition to zero in one event. In the bayesian intrepretation, even though one can compare Bayes-belief beween different events and such belief is subjective, "Bayes-knowledge" gained from recent events and knowledge assumed from prior events cannot be treated as members of the same set of "knowledge". Thus, "new trust" would be essentially incompatible with prior trust, under Bayes. For example, "new trust" would need to be binary and could not be learned unless a non-zero probability for it already existed. Difficulties in the belief revision aspects of bayesian probability are important here, as discussed in the literature for example by Wang [Wan93]. Further, some aspects of trust imply conceptual coeherence, while probabilities only describe perceptual coherence. For example, if I have a formula that can purportedly calculate any n-th digit of pi in base-16 (the Bailey-Borwein-Plouffe pi formula), then my trust in this formula depends on its conceptual coherence with the underlying mathematics. Which trust can justify my reliance on all its possible perceptual outputs even though I cannot perceptualy measure all of them (i.e., I cannot verify all the infinite digits of pi that the formula can predict, to see whether they are true or not).
As initially defined by Wally [Wal91] but modified here in order to disambiguate imprecision from randomness and uncertainty from outcome prediction, the terms uncertainty and imprecision can be used to highlight different aspects of models. I define that a model is uncertain if we cannot make statements about a single outcome, or certain otherwise. The binomial model for flipping a coin is a good example of an uncertain model, as we cannot predict a single flip, even though we are sure that half of the tosses should come up heads if we wait long enough. A model is imprecise if we cannot predict the long run behavior, or precise otherwise. For example, we may have insufficient information about the failure rate of a component of a new car type, in order to make a precise model. Using this terminology together with the usual definitions for objective and subjective, we can see that probability is an objective (frequency analysis) or subjective (Bayes) precise uncertain model, belief is a subjective imprecise uncertain model, fuzzy logic is an objective imprecise certain model, whereas trust is a subjective precise and certain model. Thus, probability is the mathematics of objective and subjective uncertainty while trust as defined in this paper aims to be the mathematics of subjective certainty and precision.
Trust can be negative -- meaning that you know you cannot trust. This is a situation of "knowing with qualification that there is a definite lack of trust", exemplified by the phrase from an actual work e-mail message (names changed) by a contributor to this discussion: "As I stated to James in our Team phone call on Wednesday, Acme has now taught us to trust Acme to be untrustworthy, and we must hold that trust until Acme breaks it, since there is no basis for any other kind of trust." Of course, if we know we cannot trust then that qualified lack of trust is trust.
Trust can be neutral, neither positive nor negative, as exemplified by case C for Phill's modem in the Appendix [A.4.10] -- corresponding to the case where one needs no trust. As explained in NOTE 2, "needs zero trust" or "needs no trust" is not the same as "has no trust". To say that "channel A has no trust for property X" is the same as to say that "channel A does not transfer trust for property X" -- so, if you need trust on property X you cannot use channel A alone. However, when channel A "needs zero trust for property X" it means that no other channel is needed in order to transfer property X, but channel A.
It is interesting also to compare trust with risk -- which is one of the counterparts of trust. Indeed, if the risk is null then anyone can be trusted. Or, if the risk is sure then no one can be trusted. Further, more trust means less perceived risk that some piece of data, behavior, etc. will turn out to be different than expected. The comparison between risk and trust seems to have another contact point: this paper considers that trust indeed has components which must be individually "perceived" or earned -- in the same way that risk must be individually "perceived", cf. Shrader-Frechette [S-F97]. This means that neither can be just "assigned" -- because both are linked to what an observer can estimate and rely upon to some justifiable extent. In her study on risk evaluation, Schrader-Frechette explains:
However, trust should not be confused with the absence of risk. The fact that some parts (ie, aspects) of trust may use risk to formulate a decision process does not mean that trust as a whole must be based on risk. Further, if an aspect of trust uses risk as a tool in the decision process to trust then that part may be described by probability but, not necessarily -- as risk may not be ergodic itself.
Further comparisons can be useful, undoubtably. They are also interesting to exercise the explicit meanings of trust which are being developed as stances of the abstract definition. However, Section 4 will provide general arguments that will allow a broader understanding of the role of trust in communication systems -- making it possible to deal at once with several comparisons. Section 3 deals with the need for such comparisons, as a way of measuring if and how well the abstract definition of trust can represent reality -- as a source for useful real-world models of trust.
This paper considers trust to be essentially subjective, as one of its main truth conditions. Which may present an apparent contradiction with situations where trust may be perceived by some as objective (such as trust on an objective fact -- e.g., life and death, money) or sometimes also as intersubjective (such as trust on a professional ability -- which also depends on the chosen professional). The main word here is "subjective" -- which means that one needs to take a subjective or personal instance in order to evaluate an object. For example, beauty is a subjective concept ("beauty is in the eyes of the beholder"). A secondary word is "intersubjective" -- meaning that this instance can yield different results for objects of the same class. For example, a medical diagnosis for a patient is intersubjective because the diagnosis itself is a particular instance from the class of all diagnosis possible for that patient at that time, each clearly dependent on the patient's relationship to the physician and different from the other. It is interesting to note that an intersubjective concept is overly-variable in reference to a subjective concept, because it also depends on the particular instance of the class' object.
Thus, the paper considers trust to be subjective ("trust depends on the observer") because trust is similar to beauty and dissimilar to a medical diganosis in that regard: trust and beauty are abstract objects that cannot be differently instantiated. However, even though trust is subjective, trust on a CA certificate is intersubjective because it cannot be harmonized or harmonizable for all CAs or, even, for all similar certificates issued by a particular CA. The conclusion is clear: trust is subjective but can acquire an intersubjective dependence. Further, the subjectiveness of trust may still allow a possible coherent intersubjective concordance over a large population in regard to one entity -- which could lead to an impression of its objectiveness.
Therefore, the proposed definition of trust can also easily explain the oftentimes contradictory and seemingly confuse behavior of objective, intersubjective and subjective perceptions of trust -- leading one time to what seems to be "objective trust" (e.g., currency, life and death cycles, the Earth's orbit, etc.) when there is a large collective of agents that coherently trust one target, other times to "intersubjective trust" (e.g., mother and son, certificates from a CA, etc.) when there are some collectives of agents that develop mutual trust relationships, and still other times to "subjective trust" when the subject independently defines who or what the trustee is. Therefore, all these "trust modes" can be simply explained by recognizing that they depend atomically on the collective and individual actions of a large or small sample of agents that, nonetheless, trust one another entirely subjectively. Which easily explains historical difficulties such as faced by Galileo Galilei, when he proposed to change the then "objective" trust that the Sun revolved around the Earth. Clearly, it is much more difficult to change trust when it is confused with fact -- which was the case.
As this paper shows, all trust is essentially subjective and all
trust is essentially knowledge that an observer has acquired and upon which
can rely to some extent -- which means that the observer not only evaluates
trust but also stores it either directly or indirectly, with all its multiple
interdependencies and relative reliabilites along a timespan. If
the occurences that we see in time are called "perceived facts" --
whether objective, subjective or intersubjective -- then trust is not the
facts themselves but knowledge about the perceived facts -- which depends
on each observer. Essentially, in our interactions, we compare trust
-- not perceived facts and not facts. The same happens with our cyberagents,
software programs and also hardware -- which can then be recognized as
equally able to deal with and use "their" trust as we can with ours, even
and most importantly when in interacion with us. As we can understand from
the given real-world models above, this allows a common ground for
process-trust and social-trust, linking cyber and 3D worlds.
trust: "trust about an entity's behavior on matters of x is that which an observer has estimated at epoch T with a variance as small as desired",or, conversely, by the equivalent explicit definition:
trust: "trust is to rely upon actions at a distance",
trust: "trust is to rely upon reactions at a distance",
trust: "trust is to rely upon actions or reactions at a different point in space or time",
trust: "trust is qualified reliance on information, based on factors independent of that information",
trust: "trust is reliance on received information, coherently with some extent",
trust: "trust is what an observer knows about an entity and can rely upon to a qualified extent",.
intersubjective trust: "trust is a bilateral agreement, not necessarily balanced" -- which means that it can include skewed relationships,
trust: "trust is knowledge acceptable by an observer",
trust: "trust is that which provides meaning to information",
trust: "trust is a link between reference and referent",
trust: "trust is a link between referent and sense",
trust: "trust is a link between reference and sense",
trust: "trust is measurable by the coherence of understanding"
trust: "trust is that which absence can make any state possible",
trust: "trust is that which absence can make any state transition possible",
trust: "trust is that which absence can make a process non-ergodic",
trust: "trust is that which absence cannot justify reliance",
etc.,
The following definitions are also useful, in terms of the concept of a "trust-point" for "matters of x" [A_3], where a trust-point is the "elementary unit" of trust in a given metric:
Why trust propositions are binary? An anthropomorphic example may help to explain. You are the collection of your thoughts, some of which are assumptions to you and you are not quite sure of. Other thoughts are self-trusted by you and you know you know that you can actively rely upon them. For example, your name has self-trust to you. Do you have reasons to believe it is true? Is your name your name? Certainly, is perhaps the answer I would hear from you or from anyone else. But, what is the dividing line between assumption" and "trust" in your mind? Depends on you, on each human being, and mainly reflects your "best justification" metric For example, Descartes, the French mathematician and philosopher, used a very strict justification when he said that the only thing he was certain of was that he existed and that he was certain of it because he could think ("Cogito, ergo sum" -- "I think, thus I exist). From that starting point, he constructed his reality -- what he trusted. So, to Descartes, not even his name was trusted by him at first, in his analysis. He answered "false" to the same decision problem you and everyone else would probably answer "true". Thus, why trust propositions are binary? Because you have to decide. Either you act, or you don't. You may rely to any degree as given by the extent of matters of x -- but you must know 100% if you rely or not.
It must be pointed out that while many more explicit definitions of trust are possible, also as a function of pragmatics (in semiotics), the abstract definition is perhaps the most general and invariant formulation -- the seed-concept for all the other definitions of trust. As shown also in the Appendix, not only useful explicit definitions for process-trust but also for social-trust can be derived from it. Thus, whenever we refer to the "trust definition" we mean the abstract formulation in first place and the explicit forms as secondary. It is also important to note that other abstract definitions can be derived from the given one, not just explicit definitions, but that is usually not so useful because abstract definitions cannot be directly applied to a case without first defining the stance and the observer (i.e., by defining an appropriate a explicit definition).
However, what is the use of so many different derived definitions? Here lies one of the most powerful aspects of the present treatment -- since all such definitions are equivalent, they can be potentially mixed with one another in adequate logical propositions that may allow for different trust stances and observers to be combined, as necessary. This means that, for example, one may perfectly well consider in one statement a trust proposition that depends both on trust on a system (which is process-trust and acquires an objective quality) and, trust on the intentions of a person using such system (which is social-trust and has an intersubjective quality). The different statements (i.e., social versus process trust) would simply use different trust-points to represent the different operators for matters of x.
Another question that the reader may have at this point concerns a perhaps expected polemic around the above definitions, specially the abstract definition -- "is the abstract definition of trust the right one?". Clearly, this is a right question. Paraphrasing Tarski [Tar44], I hope that nothing that I have written here, will be interpreted as a claim that the abstract definition of trust is the "right" or the only possible one. However, what is "the right one"? Here, perhaps the only metric we may accept is that given by Leshniewski and quoted as this paper's motto: "A theory, ultimately, must be judged for its accord with reality". This is the reason why we have extensively looked into the question of what trust is and what it is not, when comparing the predictions made by the abstract definition with the technical and linguistic usage (see A.2) of the word "trust" in our reality -- for several stances and observer relationships. We have indeed verified that the given abstract definition produced results which were semantically equivalent to a series of meanings of the word trust which were investigated, with no exception. Since we covered the majority of meanings that are needed in communication systems, based on several common stances and observer relationships, the paper justifies the abstract definition by its accord with reality -- at least, for the tested part of reality. The reader is invited to test other parts of reality and to communicate the results of such tests to the author, either for positive or for negative findings. Particularly interesting could be the application of the abstract trust definition to other areas besides technical communication processes , such as to test its usage also when modeling trust for legal and social communication processes -- e.g., power relationships, managerial activities, auditing, interpersonal relationships, art evaluation, etc.
It is useful also to consider the question whether the author should have used a different word, for example "drust", instead of "trust" for the abstract definition. However, the objective -- from the onset -- is to define "trust" so that the abstract definition must be able to produce explicit definitions which should be equivalent to the real-world (i.e., social, legal, etc.) uses of the word "trust", at least for the majority of useful cases. Thus, the question is not what is the concept herein defined, but whether it is equivalent to what one would expect from linguistics, social sciences, etc. Which, indeed, is the case at hand -- as already commented above.
The provided trust definition leads to several consequences, to be pursued elsewhere, but the ones we need to cite here are:
The concept of self-trust depends also on communication channels, but from past to present. Thus, the entity can transmit information to itself at a later time, which is called memory. Self-trust depends on the contents of such memories, when the entity can rely upon them to some extent.
The same considerations above can also be used to to understand
actions that may increase or decrease network security, where "self" is
the particular autonomous unit being considered (e.g., a program unit,
a smart-card, a piece of hardware, etc.). In the particular case
of Internet security, self-trust is concerned with expontaneous capabilities
and performance, including the pragmatics (ie, the area of semiotics that
describes the environment and passive/active attackers/observers) but without
any stimulus to self from the pragmatics.
What is then the solution? How then and to what measure can I acquire and communicate trust?
First, trust cannot be thought of as a type of authorization loop, where trust flows from the source to the destination and back to the source, similar to a battery and electric current. [6]
Further, contrary to information, trust cannot come in by a type of add-on -- such as modulation on a carrier. Why? Because when you modulate a carrier you are encoding information into that carrier and you suppose that the carrier is pre-existent -- so the carrier has a very low information content while the modulating signal has a very high information content. Ideally, 0% and 100%. On the other hand, according to our definition, trust must have zero information content (trust is what you know).
So, trust cannot be thought of as a modulating wave -- it is the carrier! This is the paradigm shift that the development of intrinsic certification [Ger97] was based upon in the first place. First acquisition, then recognition.
Without the need to continue with a stepwise investigation as done in Section 2, we can now generalize. The bottom line is that trust is akin to a carrier of information -- which information can be anything we may need: accountability, evidence, responsibility, validation, reliability, generalization, uncertainty, consistency, truthfulness, legal reliance, liabilities, warranties, ethics, monetary values, contract terms, deals, person's name, person's DNA, fingerprints, bank account number, public-keys, etc.
So, not only accountability but even truthfulness depends on trust. Trust is a basic property of communication channels, similar to information. I could say, in a very broad generalization, that "everything is information and rides on trust"... which trust allows you to act or not, when based on that information. So, this is a second-order Information Theory -- in which we are not any more interested only on how much "surprise" data is being transferred over a channel -- as measured by the uncertainty of the party as to what the message will be. Rather, I now focus on what is essential to that message but which cannot be transferred using that channel (as trust is defined here) -- which can be equally quantitative as information, though both are subjective.
For further examples of using the abstract definition of trust, see A.4.10, A.4.11 and the mcg-talk list repository.
My following assumption then is to mathematically model any suitable explicit definition of trust (i.e., this is not a play on words but we have to model our real-world model of trust) as a multivector operator on information, which is parametrized by (t,d,s,...) where t=transitive, d=distributive, s=symmetric, ... + other properties such as time (see [6]). Of course, the mathematical model may change if we change the explicit definition used to form the representation -- but all models are upward compatible with the single abstract definition of trust.
Any suitable trust model can now allows us to answer the basic trust questions, as a function of cost and risk [7].
When (t=0, d=0, s=0, T=0, ...) we have "hard-trust" -- i.e., zero information content (no surprises) and no risk. But, also, as isolated as an island -- trust cannot be acquired or communicated.
When we allow the parameters (t,d,s,T, ...) to take non-zero values, then we have "soft-trust" -- i.e., non-zero information content (bad and good surprises) and ... risk. Here, trust can be acquired and communicated but always tainted with information. In other words, "hard-trust" is only applicable to self-trust -- because self-trust is untainted by information (by definition, since it is known to the observer). However, trust must be properly gauged [8] also as a function of risk/cost if it is to be properly used in the soft-trust regime.
As a final remark on the mathematical properties of trust, a cursory
reading of this paper may give the impression that trust just depends on
appropriate out-of-band information. For example, one may think
that trust is warranted if "I, entity A, have independently verified
that the certificate is in fact from CA B, by virtue of having exercised
the appropriate out-of-band security procedure to confirm its authenticity".
This is far from truth, because of two main reasons already mentioned above:
(i) the non-boolean properties of trust and, (ii) the multivector aspects
of trust as a mathematical operator. For some examples, see [5].
This highlights the importance of the study of the mathematical properties
of trust, briefly sketched here and in the Appendix. Further references
are contained in the mcg-talk list (under the author's number-ID
416720) and in the sci.crypt newsgroup as well as in the lists e-carm,
cert-talk , dig-sig, ssl-users, ssl-talk, spki and others (under
the author's name).
When trust is represented as qualified reliance on received information,
it allows the definition of mathematical operators which can represent
the concept of soft-trust, when the truster permits (as in the real-world)
some degree of transitivity, distributivity and so on, which turns
out to be essential to Internet communication processes -- but which
open a series of security risks, as discussed in a broad context.
In practice, the theory is always more complicated.
Currently, the work proceeds on the development of a proper trust
algebra (using Grassmann's Algebra) that can represent and allow soft-trust
and its risks to be calculated with a type of proposition calculus. Trust
algebra is non-boolean but begins with boolean propositions of the type
"A trusts B on matters of x at epoch T" and unfolds into fully intersubjective
calculations on n-dimensions, which can be visualized by using the concept
of multivector intersection in Grassmann Algebra. Trust has thus subjective,
intersubjective and objective components -- as a multivector of arbitrary
dimension. Trust can be shown to be a cardinal property of certification
systems, as discussed in "Why is certification harder
than it looks?".
The arguments presented in the paper show already several common mistakes that we must be aware of and avoid, when dealing with the concept of trust in Internet certification, which are discussed in the Appendix -- specially A.1. Taking such model of trust further, as it will be presented in future papers and in the Meta-Certificate Standard, leads to what is called "archetypical trust model" as presented in the MCG-FAQ. In the model, even though the trust operator is clearly non-Boolean (see the mathematical properties above), it can be used to construct Boolean trust propositions (A.3) that can represent not only binary but also tertiary, quaternary and generic m-ary trust relationships. The concept of "critical radius of trust" is also derived from space and time considerations of differently interacting agents, where the critical radius is defined as the reach of soft-trust where risk and cost are equal.
As recognized in linguistics and semantics, words should be used within their generally accepted meanings as much as possible (in fact, some claim that this is the main difference between science and poetry...). The paper showed that the full content of the accepted social meanings of the word trust, albeit of difficult conceptualization [McK96] in its real-world and social uses, could nonetheless be well-modeled by an abstract definition of trust within the framework of Information Theory and communication processes -- thus rendering possible its scientific and technical use a par with the social meanings. Semantically, the abstract definition of trust contains the seed-thought of the full concept of trust, which unfolds as explicit truth-conditions when applied to each practical stance , which, in turn, may provide different truth-values to each observer. The abstract and the explicit definitions of trust can thus provide a common ground when dealing with trust, in any context. Trust is also shown to be a new type of measurement: how to rely upon actions at a distance. Thus, trust affords an answer to the problem of measuring events that are important, significant but which are essentially unreachable -- as strongly exemplified in the Internet, but which may have applications in other areas of communication systems and science.
Further, since trust can be shown (see A.4.3) to be essential to allow meaning to be conveyed in communication, and not just references, this paper advances the thesis that trust is a basic property of Nature, such as time and information. Without trust, communication in Nature would have no meaning -- which is clearly not the case, and which negation supports the thesis. Further weight to the thesis comes from the very historical difficulty to define trust so far, as mentioned in the paper, which points out the basic nature of trust, as with any concept that cannot be well-defined because it is primary -- e.g. time.This shows the futility of any approach that may try to qualify trust by maiming it -- i.e., by denying some of trust's truth conditions. Of course, by artificially changing the contextual meanings of trust one cannnot hope to change the need to understand it or the need to use the true richness of the concept it denotes.
Forthcoming papers will show that trust and information are necessary
and sufficient properties of a generic communication system that can use
pragmatics (environment) to transfer not only syntatics (reference)
but also semantics (sense) from a source to a destination; some results
are already available in the Appendix (see A.4.3)
and in the mcg-talk or trust-ref exchange.
1. Model of Trust versus Trust Models
The title is "Toward a Real-World Model of Trust" -- which has two
sides:
First, some think that one cannot compare the "digital" and "emotional" concepts of trust -- the "digital" concept being the technical use of the word trust as in communication processes, root-keys, digital signatures, certificates, etc. and the "emotional" concept being the social understanding of the word trust in commercial, legal and personal dealings.
Clearly, and to fix notation, the term digital trust is inappropriate when applied to a communication process -- which can also be analogue. Similarly, technical trust is also misleading, e.g. a technical argument in law is quite different from a technical argument in engineering. The best word here might be "process trust", which allows not only the protocol but also the software, hardware, etc. to be included in the trust concept -- e.g. a modem can also be trusted in the communication technical sense. Similarly, "social trust" might also be better word to represent the emotional, real-world, 3D or personal aspects of trust. So, I will use preferentially both terms below: process trust and social trust.
The concept of process trust has several definitions, as I have located them and there are possibly more.
1. NSA: "a trusted system or component is one with the power to break one's security policy" [10].
Having presented the various definitions found for "process trust" and "social trust", we can easily observe that they are not even concordant between themselves -- much less with one another.
However, it is perhaps clear that they should all be equivalent, even though different in their own domains. In other words, it should be possible to find definitions of trust in each domain that would carry over to one another as a matter of proper focus.
Thus, in this view, both "types" of trust are not apples and speedboats. Communication protocols can and should indeed be based on social trust concepts -- i.e., real-world concepts -- and not on some ad hoc and academically unrealistic models. For example, a security design that considers trust just a synonym for authorization. Further, the author considers it already a bad sign if one is using a model of trust that divorces the digital world or communication concept of "process trust" from the emotional, personal or 3D world concept of "social trust". Instead of a "feature" of such a model, it is a bug.
In fact, the social and communication aspects of trust must be well integrated if a socially useful communication protocol is to be defined. This will also be very important for the next intermingling of cyberspace with our 3D-world, as discussed in A.4.7. As commented before, one must recognize A_4_10that unless one arrives at a real-word or social model of trust to be used in the electronic world, no logically useful communication trust model can be set forth.
This idea is not entirely new. Besides Shannon, who used it successfully 50 years ago when modeling information, Phill Hallam-Baker declared the following in Nov/94:
This can allow us to cross over different trust domains, so that a unique model of trust can represent "social trust" (i.e., 3D world, emotional, personal) when applied to a communication process (i.e., digital world) as well as represent "process trust" (i.e., digital or technical trust) when applied to a social situation.
In law, the designation "reasonable man" is a legal standard and applies
to the understanding that a judge must develop for a
jury in its decisions-- i.e., a "trust model", as the concept is defined
in this work. For example, if a judge trusts that a "reasonable man" would
have no doubt on the issues of fact involved, he may send the case for
summary judgment.
A "resonable man" is also a metric for the "reasonable reliance" trust model that a judge or jury can apply by themselves to a case.
I note that "reasonable reliance" is a legal objective trust model which
is being increasingly abandoned in favor of "justified
reliance" -- a legal subjective trust model. This can be explained
by the technical arguments outlined in this paper, to the extent that a
person always bases its acts on subjective trust -- besides the legal arguments.
Of course, technical arguments have a broad worldwide application whereas legal arguments depend on country, state and even time. However, legal arguments are interesting also -- as arguments cannot be played in isolation. I quotesome of the legal arguments and case law history from a decision by the SUPREME COURT OF THE UNITED STATES, where Mr. Justice Souter delivered the opinion of the Court in case No. 94-967 of WILLIAM FIELD and NORINNE FIELD, PETITIONERS v. PHILIP W. MANS, on November 28, 1995 [SCUS]:
Clearly, we would not (as cited above) use the words: assumption, knowledge, belief or information.
As to the word trust itself, it was chosen exactly on semantic grounds for the English language. Linguistically, "Trust" is akin to "true" and "faithful", with a usual first dictionary meaning of "1 a : assured reliance on the character, ability, strength, or truth of someone or something; b : one in which confidence is placed."
So, in common English usage trust is what you place your confidence in or, expect to be truthful -- that which you can rely upon. Of course, this is a subjective metric since what a reasonable man may need to consider in order to rely upon something is quite different than what a naive truster may require. Perhaps, a naive truster will only require an indication as a reason for reliance, and perhaps also a reasonable man might do the same if what is at stake has a low value.
Thus, the explicit and abstract definitions of "trust" given here -- albeit technically directed to the terminology of Information Theory -- have a strong resemblance to everyday use, also when trust simply means reliance on an indication.
It is also important to realize the subjectiveness of the definition.
Who defines what is "essential" in the formal abstract definition, or "high-reliance"
in the explicit definitions? Who defines what is true?The truster.
The truster defines the metric used to justify what it can rely upon and
what it considers to be true. Which can be subjective, intersubjective,
objective or a mixture of such types -- as we can see in the real-world.
3. Trust Propositions, Matters of x and Metric-Functions
However, the question is: what is "x"?
First, "x" is a scalar, a trust-point. They represent behaviors which are either known or can be predicted with quasi-zero variance. This is not to be interpreted as saying that there is no room for "maybes" or even unpredictability regarding the outcome of x, of course. The point here is that while the expression "B trusts C on matters of x" means "B knows that C is predictable with quasi-zero variance on matters of x" -- and therefore B expects no surprises on such "matters of x" -- here is a short list of what "matters of x" can be:
In each of these examples, I observe that we have actually defined an equivalence class for matters that represent the "same" behavior "x" -- the same trust-point in its interactions.
But, what is "same"? Indeed, if we want to model trust, risk, certification, privacy or even the security of cryptographic protocols, one of the first questions we must ask is:
Further, we need such notion of "distance" to satisfy some requirements:
(i) the distance must be the same if I just exchange the two quantities,
so that distance "looking into" one must be the same as
"looking into" the other.
(ii) the distance must be invariant under some class of transformations,
so that I can change reference frames under that
class of transformations and still meaningfully refer to that same
"distance".
(iii) the distance must correspond to a meaningful reference that I can express, order and compare -- e.g., a number (even in cardinal form -- i.e. as a measure over set equivalence).
(iv) if the distance is zero I would like the quantities to be considered "equal".
(v) Conversely, if two quantitities are "equal" I would like their "distance" to be zero.
(vi) If I have three quantities which are distinguishable from each other then I would like to define the notion that a direct path between two quantities is shorter or equal than an indirect path that also includes the third quantity -- like a triangle.
Now, I note that the notion of "equality" expressed above is not simply that given by the "=" sign, but rather contains the idea of "equivalence" -- for example, 2 and 4 are equivalently even numbers, though one cannot say that "2=4". This is also often (and I will follow such usage) expressed as indistinguishability -- 2 and 4 are even numbers and are indistinguishable from one another in regard to being an even number, i.e, they cannot be distinguished from oneanother in that aspect.
In looking thus to a general framework to express how "close" or how "far" quantities are -- in other words, how distinguishable they are -- we realize that we have just stumbled into metric functions!
Indeed, a metric function d(x,y) is a positive-definite function (i.e., d(x,y) >= 0) that needs to satify four properties, which contain our "wish list" above:
How is that applied to "matters of x" and why is it useful?
Because "matters of x" defines what is trusted by the entity, one can thing of "matters of x" as a function of two arguments: the first one is x (trusted) and the second is any input y (to be tested). The output of the function indicates whether y is trusted or not:
matters-of(x,y) = 0 if trusted, a "number" > 0 otherwise.
It is easy to show that matters-of(x,y) can be defined so as to satisfy all 4 properties of a metric function.
Now, if matters-of(x,y) is zero, we can say that x is indistinguishable from y -- ie, they are "equal" in regard to trust. So, matters of x allows us to define how "close" or how "far" some input is from being trusted -- and can even provide us *paths* to move in "closer to trust".
This is already very useful because we can represent all the various degrees of "quasi-trust" that we also follow in our reasoning -- but now in software.
However there is more, in two basic results from mathematics.
The first one is that metric functions are rather easy to find, and we are free to define whatever suits us and the modelling we have. For example, we can use the notion of probability of error, Shannon mutual information, Kolmogorov complexity, Bhattacharyya coefficient, least square error, etc.
The second one is that if we formulate these concepts into metric funtions that obey the 4 properties, then it is irrelevant which one we use. It is largely a metter or convenience.
Of course, there is much more to be said about the (in)distinguishability problem and the use of metric functions, specially in potential uses of this theory of trust. But the above comments may already show the general principles involved, their usefulness and relative easy-of-use -- besides the extreme flexibility they provide.
The structure of x, while a scalar, is that of an operator that represents a process (see the specific definition of process in [Ger97]. This operator can be shown to obey the properties of a quotient ring in Mathematics, also called a skew-field. Which allows the trust-points "x" to be used as "elementary units" to construct multivectors in Grassmann's Algebra, allowing very complex m-ary trust relationships to be represented and affording an intuitive geometric vision. See the mcg-talk postings on such subject.
The concept of "proper trust" can then be mathematically defined as satisfactorily as the concept of "proper keys", by allowing trust and keys to be fully described by convenient metric functions in a coordinate-invariant formulation of certificates within a seven-dimensional metric-space [14]. As a general result, certification in communication processes is shown to be mathematically equivalent [15] to the geometric problem of distance measurement in a metric-space -- as can be intuitively motivated by observing how key-distribution [16] works.
For two parties in a dialogue, all possible certification procedures are then classified in only two models: extrinsic and intrinsic, with a combined mode [Ger97]. All known security designs correspond to the extrinsic model -- which depends on references that are extrinsic to the current dialogue, with certification relative to a third-party or past events. The intrinsic model is a new security design -- which depends on references that are intrinsic to the current dialogue, with certification obtained by measurements that rely upon intrinsic proofs.
4. Internet Names, TSK/P, Uniqueness, Reference and Sense, Metrics, Biometrics, Bio-implants, Examples, etc.
The above discussion on trust can be used to investigate several timely questions. Questions 1 and 2 are common Internet discussion items, nowadays answered in the affirmative. Questions 3, 4,5 and 6 were supplied by Nicholas Bohm. Questions 7, 8 and 9 were supplied by a MCG participant. Questions 10 and 11 were asked by Phill Hallam-Baker in the SPKI list.
No. And, surprisingly, the solution may solve another historical flaw in public-carrier communications.No one needs a unique name over the Internet, nor a unique e-mail address, nor even a un-ambiguous name in order to be uniquely identified. Neither globally nor locally. Everyone can use their own common names if they so wish, or any pseudonym they desire. This note shows that this is not an issue for identification or security -- while it is a recurring subject, an Internet myth. An equivocated security dogma.
Logical semantics, albeit not very well-known, was pioneered by Frege (see item A.4.3) and recognizes that a common name has two quite independent components: reference (i.e., the symbol itself, the byte string) and sense (i.e., the symbol's meaning), where the name's reference is its syntactic value and the name's sense is its semantic value. In other words, a name is viewed as a logical proposition which has two independent attributes, the name's sense representing the name's truth conditions and the name's reference representing the name's truth values. Thus, the semantic theory advanced by Frege shows that an unlimited number of entities can share the same reference (i.e., the same syntactic expression, such as "John Smith") and yet each one can be uniquely identified by their sense (i.e., each referent can be uniquely reached if and only each referent has a unique sense).
In other words, the apparently "intuitive" referential theory of meaning is wrong (see item A.4.3) and meaning can never be derived from references, no matter how many -- it is impossible to derive meaning from name. So, any person can choose at will any symbol to be represented by -- and, per se, none will be better or worse for identifying the person than any other ... in fact, they will be all equally meaningless.
If all the people named "John Smith" could choose whatever symbol they would want (ASCII, own photo, dog's photo, etc.) to be one of their "names" in a certificate, what do you think they would choose:
(a) John Smith
(b) something useful and unique as decided by them
(c) John Smith plus something useful and unique as decided
by them
(d) something utterly unrelated to anything that John
Smith may be, know, possess or live nearby
What would be your answer?
My answer, in the case of the proposed method, is that it could be whatever John desires: (a), (b), (c), (d) or even all of the above at the same time. And security would not suffer, neither regarding John's interests nor regarding a third party's interests.