Title: Nebraska University Consortium on Information Assurance
1Nebraska University Consortium on Information
Assurance
Trust in the Information Age Prepared for
the Greater Omaha Chapter AFCEA October 25,
2007 Blaine Burnham
2Trust in the Information Age
- Trust
- What are we talking about?
- What goes into it?
- What is special about Trust in the Information
Age
3Trust in the Information Age
- Trust
- What are we talking about?
- Trust
- How is it used
- (internet definitiions)
- have confidence or faith in "We can trust in
God" "Rely on your friends" "bank on your good
education" "I swear by my grandmother's recipes"
- something (as property) held by one party (the
trustee) for the benefit of another (the
beneficiary) "he is the beneficiary of a
generous trust set up by his father" - reliance certainty based on past experience "he
wrote the paper with considerable reliance on the
work of other scientists" "he put more trust in
his own two legs than in the gun" - allow without fear
- believe be confident about something "I believe
that he will come back from the war" - the trait of believing in the honesty and
reliability of others "the experience destroyed
his trust and personal dignity" - a consortium of independent organizations formed
to limit competition by controlling the
production and distribution of a product or
service "they set up the trust in the hope of
gaining a monopoly" - hope expect and wish "I trust you will behave
better from now on" "I hope she understands that
she cannot expect a raise" - faith complete confidence in a person or plan
etc "he cherished the faith of a good woman"
"the doctor-patient relationship is based on
trust" - entrust confer a trust upon "The messenger was
entrusted with the general's secret" "I commit
my soul to God" - extend credit to
- confidence a trustful relationship "he took me
into his confidence" "he betrayed their trust"
4Trust in the Information Age
- Trust
- What are we talking about?
- Trust
- How is it used
- (Internet definitiions)
- have confidence or faith in "We can trust in
God" "Rely on your friends" "bank on your good
education" "I swear by my grandmother's recipes"
- something (as property) held by one party (the
trustee) for the benefit of another (the
beneficiary) "he is the beneficiary of a
generous trust set up by his father" - reliance certainty based on past experience "he
wrote the paper with considerable reliance on the
work of other scientists" "he put more trust in
his own two legs than in the gun" - allow without fear
- believe be confident about something "I believe
that he will come back from the war" - the trait of believing in the honesty and
reliability of others "the experience destroyed
his trust and personal dignity" - a consortium of independent organizations formed
to limit competition by controlling the
production and distribution of a product or
service "they set up the trust in the hope of
gaining a monopoly" - hope expect and wish "I trust you will behave
better from now on" "I hope she understands that
she cannot expect a raise" - faith complete confidence in a person or plan
etc "he cherished the faith of a good woman"
"the doctor-patient relationship is based on
trust" - entrust confer a trust upon "The messenger was
entrusted with the general's secret" "I commit
my soul to God" - extend credit to
- confidence a trustful relationship "he took me
into his confidence" "he betrayed their trust"
5Trust in the Information Age
- Trust
- Is Trust Dimensional?
- A gallon of Trust
- Five pounds of Trust
- Two yards of Trust
- A lifetime of Trust
- What are the dimensions?
- Seems to operate adequately well absent discrete
dimensions
6Trust in the Information Age
- Trust
- Is Trust a Graded Notion?
- A little trust / A great Trust
- Trust a little bit
- Trust a whole lot
- Complete Trust
- What is the basis for the gradation?
- How is it expressed?
7Trust in the Information Age
- Trust
- Can Trust be Conveyed?
- Fred trusts Tom and Tom Trusts Alice
- What is the trust relationship between Fred and
Alice? - How can that relationship be expressed?
- What is the transitive closure of conveyance?
8Trust in the Information Age
- Trust
- How is it established?
- Experience?
- Asset Commitment?
- Third Party / Agent ?
- Assertion
- Authority
- Credential
- Instant???
9Trust in the Information Age
- Trust
- Is Trust Dynamic?
- Can it be diminished?
- How?
- Can trust be reestablished?
- How?
- If so how is this dynamic expressed?
- How much granularity is appropriate?
10Trust in the Information Age
- Trust
- Is it Situational?
- Trust under some circumstances and not others?
- Not trust the dog around children
- Not trusted to use the pointy scissors
- Will there be boys there?
- I think you are good for 5.00.
- You want to borrow how much?
- How do we characterize situation?
11Trust in the Information Age
- Trust
- Necessary
- I trust you will bring the car back full of gas
- Trust may not be Sufficient
- I trust you completely but you are still not
going to a coed slumber party - Trust but Verify
12Trust in the Information Age
- Trust
- What is the Relation to Risk?
- Does it make sense to have trust as a scoped
notion as a function of exposed asset. - Trust completely for small Transactions?
- This notion seems to be better matured
(regularized) than others
13Trust in the Information Age
- Trust
- Who / What is Trusted?
- What is the agent?
- People
- Only People
- How about seat belts
- Ultimately people
- Can Things be Trusted?
- What is the relationship to people
- Is it necessary to require a people part to
all/some/any trust relationship?
14Trust in the Information Age
- Trust
- What is the basis for Trust?
- Past Performance?
- We havent had any handling problems reported
- Basic Design?
- We specifically looked at that issue during
design - Explicit Constraints?
- The on-board computer will prevent that situation
from ever occuring - Analysis, Evaluation
- Our analysis indicates the vehicle will not be
able to complete an avoidance swerve at speeds
above 45mph - Testing
- Wow!, Will you look at that sucker roll over
15Trust in the Information Age
- Trust
- Underlying Mechanisms
- People seem to have this worked.
- Rich underlying capability to deal with trust
- Although it appears to be deep seated
- Catastrophic failure is generally catastrophic
- Appears to be a high order attribute
- Trust between people and animals
- How about among animals
- The trust relations among squid may reduce to who
eats who first - May be very complex
- Probably should hold that perspective until
demonstrated otherwise - Although may be an evolution of the squid problem
16Trust in the Information Age
- Trust
- So why does it matter?
- E-Business
- E-Government
- NOT the same business / risk model
- What do we expect?
- How do we recognize it?
- How do we build it?
- How does it work?
17Trust in the Information Age
- Trust
- The Conundrum
- To varying degrees we must/choose/expect/want/desi
re/ to TRUST some agent that we might not ever
meet to perform in a trusted fashion - That is the agent is expected to enable us to
- have confidence or faith in
- reliance certainty based on past experience
- allow without fear
- believe be confident about something
- faith complete confidence in
- entrust confidence a trustful relationship "
- Oh, I forgot to mention we have to do it with
BITS on the WIRE!!!
18Trust in the Information Age
- Trust
- With bits over the wire, How?
- Are there Working Models?
- On-line Auctions
- Ebay
- PGP
- PKI
- Other
19Trust in the Information Age
- Trust
- Models
- Ebay allows both partied of each transaction to
rate the other party with a positive, neutral, or
negative rating. Then Ebay makes the cumulative
rating of its members available to its users. - This is a accumulative statistical trust model.
- It seems to work fairly well however it has some
shortcomings - The tit-for-tat gambet
- For large volume parties it takes a long time for
a reversal of behavior to show - Doesnt include the size of the transaction so
good behavior for large transactions is rated the
same as for small transactions - Carefully policed by Ebay, Seems to be adequate.
Significant abuse is strongly dealt with
20Trust in the Information Age
- Trust
- Models
- PGP
- There are no central authority which everybody
trusts, but instead, individuals sign each
other's keys and progressively forming a web of
individual public keys interconnected by links
formed by this signatures. - A by-product of this approach is the emergence of
communities of trust webs, mirroring the tight
inter-relationships within social groups of
various categories (eg. kinship or occupational
groups), and the looser inter-community
relationships. Some of the individuals within a
community may have trusted friends in another
community, so this sort of trust-relations could
form a bridge between communities.
21Trust in the Information Age
- Trust
- Models
- PKI employs the hierarchical trust model. In a
hierarchical trust model, end users trust the CA
at the root of their hierarchy - Trust between CAs flows down from the root.
Relying parties will only directly trust other
users whose CA is a member of the same hierarchy.
In a hierarchy, the level of trust for a CA is a
function of the level of trust associated with
the CA at the root of the hierarchy.
22Trust in the Information Age
- Define the suitable models for participant to
multi-domain PKI - Simple PKI
- Hierarchy PKI
- Mesh PKI
Mesh
Hierarchy
Simple
23Trust in the Information Age
- Trust
- Oops, forgot to mention that the mechanism is
Cryptography and the trust is associated with
the KEYS - So
- That whole rich social fabric of TRUST appears to
collapse to what we are able to with meta date,
what amounts to labels, associate with KEYS. - Thats it
24Trust in the Information Age
- Trust
- Digital trust is reduced to mostly key management
and the meta burden we are willing to onto the
key management process - There all sorts of distortions that creep in as
we try to reconcile out human experience and
expectations with the very limited capacity of
the digital space
25Trust in the Information Age
- Trust
- Things not covered
- There is tremendous amount of stuff going on in
PKI. - Trusted Systems
- Trustworthy
- Surety
- Trusted Software
- Versus Signed Software
- Trusted Computing Base
- Composition
26Trust in the Information Age
- Credits and References
- http//www.firstmonday.dk/issues/issue2/markets/in
dex.html - Joseph M. Reagle Jr. Trust in electronic
Markets, the convergence of Cryptographers and
Economists - http//www.cs.ucl.ac.uk/staff/F.AbdulRahman/docs/p
gptrust.html The PGP Trust Model - Found at http//www.safevote.com/papers/trustdef
.htm Toward Real-World Models of
Trust Reliance on Received Information - http//benmetcalfe.com/blog/index.php/2005/08/11/f
laws-with-ebay-trust-model/ Ben Metcafes Blog - http//www.cs.ucl.ac.uk/staff/F.AbdulRahman/docs/p
gptrust.html The PGP Trust Model Alfarez
Abdul-Rahman - http//www.it-c.dk/courses/DSK/F2003/PKI_Trust_mod
els.pdf PKI trust models, Tim Moses - http//www.oasis-open.org/committees/download.php/
6158/sstc-saml-trustmodels-2.0-draft-01.pdf
Oasis, Trust model Guidelines -