Nebraska University Consortium on Information Assurance

1
Nebraska University Consortium on Information
Assurance

Trust in the Information Age Prepared for
the Greater Omaha Chapter AFCEA October 25,
2007 Blaine Burnham
2
Trust in the Information Age

• Trust
• What are we talking about?
• What goes into it?
• What is special about Trust in the Information
  Age

3
Trust in the Information Age

• Trust
• What are we talking about?
• Trust
• How is it used
• (internet definitiions)
• have confidence or faith in "We can trust in
  God" "Rely on your friends" "bank on your good
  education" "I swear by my grandmother's recipes"
  
• something (as property) held by one party (the
  trustee) for the benefit of another (the
  beneficiary) "he is the beneficiary of a
  generous trust set up by his father"
• reliance certainty based on past experience "he
  wrote the paper with considerable reliance on the
  work of other scientists" "he put more trust in
  his own two legs than in the gun"
• allow without fear
• believe be confident about something "I believe
  that he will come back from the war"
• the trait of believing in the honesty and
  reliability of others "the experience destroyed
  his trust and personal dignity"
• a consortium of independent organizations formed
  to limit competition by controlling the
  production and distribution of a product or
  service "they set up the trust in the hope of
  gaining a monopoly"
• hope expect and wish "I trust you will behave
  better from now on" "I hope she understands that
  she cannot expect a raise"
• faith complete confidence in a person or plan
  etc "he cherished the faith of a good woman"
  "the doctor-patient relationship is based on
  trust"
• entrust confer a trust upon "The messenger was
  entrusted with the general's secret" "I commit
  my soul to God"
• extend credit to
• confidence a trustful relationship "he took me
  into his confidence" "he betrayed their trust"

4
Trust in the Information Age

• Trust
• What are we talking about?
• Trust
• How is it used
• (Internet definitiions)
• have confidence or faith in "We can trust in
  God" "Rely on your friends" "bank on your good
  education" "I swear by my grandmother's recipes"
  
• something (as property) held by one party (the
  trustee) for the benefit of another (the
  beneficiary) "he is the beneficiary of a
  generous trust set up by his father"
• reliance certainty based on past experience "he
  wrote the paper with considerable reliance on the
  work of other scientists" "he put more trust in
  his own two legs than in the gun"
• allow without fear
• believe be confident about something "I believe
  that he will come back from the war"
• the trait of believing in the honesty and
  reliability of others "the experience destroyed
  his trust and personal dignity"
• a consortium of independent organizations formed
  to limit competition by controlling the
  production and distribution of a product or
  service "they set up the trust in the hope of
  gaining a monopoly"
• hope expect and wish "I trust you will behave
  better from now on" "I hope she understands that
  she cannot expect a raise"
• faith complete confidence in a person or plan
  etc "he cherished the faith of a good woman"
  "the doctor-patient relationship is based on
  trust"
• entrust confer a trust upon "The messenger was
  entrusted with the general's secret" "I commit
  my soul to God"
• extend credit to
• confidence a trustful relationship "he took me
  into his confidence" "he betrayed their trust"

5
Trust in the Information Age

• Trust
• Is Trust Dimensional?
• A gallon of Trust
• Five pounds of Trust
• Two yards of Trust
• A lifetime of Trust
• What are the dimensions?
• Seems to operate adequately well absent discrete
  dimensions

6
Trust in the Information Age

• Trust
• Is Trust a Graded Notion?
• A little trust / A great Trust
• Trust a little bit
• Trust a whole lot
• Complete Trust
• What is the basis for the gradation?
• How is it expressed?

7
Trust in the Information Age

• Trust
• Can Trust be Conveyed?
• Fred trusts Tom and Tom Trusts Alice
• What is the trust relationship between Fred and
  Alice?
• How can that relationship be expressed?
• What is the transitive closure of conveyance?

8
Trust in the Information Age

• Trust
• How is it established?
• Experience?
• Asset Commitment?
• Third Party / Agent ?
• Assertion
• Authority
• Credential
• Instant???

9
Trust in the Information Age

• Trust
• Is Trust Dynamic?
• Can it be diminished?
• How?
• Can trust be reestablished?
• How?
• If so how is this dynamic expressed?
• How much granularity is appropriate?

10
Trust in the Information Age

• Trust
• Is it Situational?
• Trust under some circumstances and not others?
• Not trust the dog around children
• Not trusted to use the pointy scissors
• Will there be boys there?
• I think you are good for 5.00.
• You want to borrow how much?
• How do we characterize situation?

11
Trust in the Information Age

• Trust
• Necessary
• I trust you will bring the car back full of gas
• Trust may not be Sufficient
• I trust you completely but you are still not
  going to a coed slumber party
• Trust but Verify

12
Trust in the Information Age

• Trust
• What is the Relation to Risk?
• Does it make sense to have trust as a scoped
  notion as a function of exposed asset.
• Trust completely for small Transactions?
• This notion seems to be better matured
  (regularized) than others

13
Trust in the Information Age

• Trust
• Who / What is Trusted?
• What is the agent?
• People
• Only People
• How about seat belts
• Ultimately people
• Can Things be Trusted?
• What is the relationship to people
• Is it necessary to require a people part to
  all/some/any trust relationship?

14
Trust in the Information Age

• Trust
• What is the basis for Trust?
• Past Performance?
• We havent had any handling problems reported
• Basic Design?
• We specifically looked at that issue during
  design
• Explicit Constraints?
• The on-board computer will prevent that situation
  from ever occuring
• Analysis, Evaluation
• Our analysis indicates the vehicle will not be
  able to complete an avoidance swerve at speeds
  above 45mph
• Testing
• Wow!, Will you look at that sucker roll over

15
Trust in the Information Age

• Trust
• Underlying Mechanisms
• People seem to have this worked.
• Rich underlying capability to deal with trust
• Although it appears to be deep seated
• Catastrophic failure is generally catastrophic
• Appears to be a high order attribute
• Trust between people and animals
• How about among animals
• The trust relations among squid may reduce to who
  eats who first
• May be very complex
• Probably should hold that perspective until
  demonstrated otherwise
• Although may be an evolution of the squid problem

16
Trust in the Information Age

• Trust
• So why does it matter?
• E-Business
• E-Government
• NOT the same business / risk model
• What do we expect?
• How do we recognize it?
• How do we build it?
• How does it work?

17
Trust in the Information Age

• Trust
• The Conundrum
• To varying degrees we must/choose/expect/want/desi
  re/ to TRUST some agent that we might not ever
  meet to perform in a trusted fashion
• That is the agent is expected to enable us to
• have confidence or faith in
• reliance certainty based on past experience
• allow without fear
• believe be confident about something
• faith complete confidence in
• entrust confidence a trustful relationship "
• Oh, I forgot to mention we have to do it with
  BITS on the WIRE!!!

18
Trust in the Information Age

• Trust
• With bits over the wire, How?
• Are there Working Models?
• On-line Auctions
• Ebay
• PGP
• PKI
• Other

19
Trust in the Information Age

• Trust
• Models
• Ebay allows both partied of each transaction to
  rate the other party with a positive, neutral, or
  negative rating. Then Ebay makes the cumulative
  rating of its members available to its users.
• This is a accumulative statistical trust model.
• It seems to work fairly well however it has some
  shortcomings
• The tit-for-tat gambet
• For large volume parties it takes a long time for
  a reversal of behavior to show
• Doesnt include the size of the transaction so
  good behavior for large transactions is rated the
  same as for small transactions
• Carefully policed by Ebay, Seems to be adequate.
  Significant abuse is strongly dealt with

20
Trust in the Information Age

• Trust
• Models
• PGP
• There are no central authority which everybody
  trusts, but instead, individuals sign each
  other's keys and progressively forming a web of
  individual public keys interconnected by links
  formed by this signatures.
• A by-product of this approach is the emergence of
  communities of trust webs, mirroring the tight
  inter-relationships within social groups of
  various categories (eg. kinship or occupational
  groups), and the looser inter-community
  relationships. Some of the individuals within a
  community may have trusted friends in another
  community, so this sort of trust-relations could
  form a bridge between communities.

21
Trust in the Information Age

• Trust
• Models
• PKI employs the hierarchical trust model. In a
  hierarchical trust model, end users trust the CA
  at the root of their hierarchy
• Trust between CAs flows down from the root.
  Relying parties will only directly trust other
  users whose CA is a member of the same hierarchy.
  In a hierarchy, the level of trust for a CA is a
  function of the level of trust associated with
  the CA at the root of the hierarchy.

22
Trust in the Information Age

• Define the suitable models for participant to
  multi-domain PKI
• Simple PKI
• Hierarchy PKI
• Mesh PKI

Mesh
Hierarchy
Simple
23
Trust in the Information Age

• Trust
• Oops, forgot to mention that the mechanism is
  Cryptography and the trust is associated with
  the KEYS
• So
• That whole rich social fabric of TRUST appears to
  collapse to what we are able to with meta date,
  what amounts to labels, associate with KEYS.
• Thats it

24
Trust in the Information Age

• Trust
• Digital trust is reduced to mostly key management
  and the meta burden we are willing to onto the
  key management process
• There all sorts of distortions that creep in as
  we try to reconcile out human experience and
  expectations with the very limited capacity of
  the digital space

25
Trust in the Information Age

• Trust
• Things not covered
• There is tremendous amount of stuff going on in
  PKI.
• Trusted Systems
• Trustworthy
• Surety
• Trusted Software
• Versus Signed Software
• Trusted Computing Base
• Composition

26
Trust in the Information Age

• Credits and References
• http//www.firstmonday.dk/issues/issue2/markets/in
  dex.html
• Joseph M. Reagle Jr. Trust in electronic
  Markets, the convergence of Cryptographers and
  Economists
• http//www.cs.ucl.ac.uk/staff/F.AbdulRahman/docs/p
  gptrust.html The PGP Trust Model
• Found at http//www.safevote.com/papers/trustdef
  .htm Toward Real-World Models of
  Trust Reliance on Received Information
• http//benmetcalfe.com/blog/index.php/2005/08/11/f
  laws-with-ebay-trust-model/ Ben Metcafes Blog
• http//www.cs.ucl.ac.uk/staff/F.AbdulRahman/docs/p
  gptrust.html The PGP Trust Model Alfarez
  Abdul-Rahman
• http//www.it-c.dk/courses/DSK/F2003/PKI_Trust_mod
  els.pdf PKI trust models, Tim Moses
• http//www.oasis-open.org/committees/download.php/
  6158/sstc-saml-trustmodels-2.0-draft-01.pdf
  Oasis, Trust model Guidelines