[Cryptography] Trustworthiness

[iang]

On 23/06/2017 01:52, Kevin W. Wall wrote:

> On Tue, Jun 20, 2017 at 8:29 AM, iang <iang at iang.org> wrote:
>> In practice, anything labelled with trust was a bit of a bait&switch.  The
>> notion that people could "trust" systems was a misuse of the word.  In
>> practice people rely on systems, not trust them.  You don't trust your car
>> to get you to work, except euphemistically instead you rely on it.
> I know that this has been discussed many years ago on the RandomBit,net crypto
> mailing list. I recall Marsh Ray suggesting that we use the term "relies on" as
> suggested by his former colleague Mark S. Miller.

Yep - agree there.
> (I even have an indirect
> reference to that on my blog post on "Misunderstanding Trust" at
> https://off-the-wall-security.blogspot.com/2012/01/misunderstanding-trust.html.)

hmmm...

> In general, I think that "relies on" makes better sense in many contexts because
> unlike the word "trusts" it doesn't make non-security people think of a binary
> "trust / not trust" result. I think using "relies on" carries the more subtle
> shades of gray that is really more accurate when discussion such relationships.
> I do not really believe that trust is binary, but most people that I discuss it
> with seem to characterize it as such.

Yep.

> In my blog post "Understanding Trust", at
> <https://off-the-wall-security.blogspot.com/2011/07/understanding-trust.html>,
> I claim that "trust" has the following properties (does not imply a complete
> list):
>      Trust is not commutative
>      Trust is transitive
>      Trust is not binary
>      Trust is context dependent
>      Trust is not constant over time
>
> Read it and see if you agree. (I know Peter Biddle did not agree with trust
> being transitive which is why I wrote the follow-up "Misunderstanding Trust"
> blog post.)

I don't agree that trust is transitive... In your analogies in 
"Misunderstanding Trust" you use the example of the pilot trusting the 
chimp and therefore by extension the passengers end up trusting the 
chimp.  That I disagree with.  The passengers are trusting the pilot 
always, including to make the right decisions w.r.t. autopilots & chimps.

Only if the pilot were to walk back and propose to the passengers that 
they have a choice of deciding to trust the chimp to fly (and he bails 
out with the last parachute to make the choice real) or not - would they 
have been given the choice.  And if they choose to accept the pilot's 
offer, and the chimp flies them on, then they have transited their trust 
from the pilot to the chimp.

But if they don't know, they've done nothing with their trust.  If they 
do know and they have no choice, they have not decided to trust the 
chimp - they've complied with the reality that the chimp is now flying 
the plane.


> On Wed, Jun 21, 2017 at 6:43 PM, iang <iang at iang.org> wrote:
>> On 21/06/2017 08:29, Dave Horsfall wrote:
>>> On Tue, 20 Jun 2017, Ray Dillinger wrote:
>>>> The Trusted Platform Module, for example, is named correctly.
>>>> "Trusted" means simply that it introduces an additional risk of failure.
>>> Remember, in this context "trusted" means you *have* to trust it, not
>>> because you *can*.
>> This is what I call compliance.  I resist calling this trust.  To me, trust
>> involves me taking an analysis, making a decision, taking on a risk, and
>> then living with the consequences - reward or loss.
>>
>> Wherever one talks about a Trusted XBlahSomething, we ultimately end up with
>> no choice.
> And that is spot on the problem that I have using the term "relies on" rather
> than "trust".  Just because I "rely on" Google or GM or the USG doesn't
> really mean that I "trust" them, and even the extent that I do trust them is
> limited by context rather than all-encompassing.
>
> I think "trust" conveys a personal choice (although that choice often may be
> implicit). The "choice" being the analysis and decision making that Ian refers
> to...do I want to accept the risk or not? What are the trade-offs. Many times,
> those decisions are implicit and/or not terribly well-grounded in logic. For
> example, I think that many of us (myself included) at one time or another
> have made the mistake of "trusting" someone simply because they were in a
> position of authority only to have it come back and bite us royaly in the
> ass. The logic error there borders on the fallacy of appeal to authority, which
> is understandable given that its drilled into most people's heads since they
> were small children. At lot of those types of "trust" decisions get made
> implicitly because we generally feel that authorities will behave
> morally and are
> altruistic.
>
> However the term "relies on" doesn't really imply this degree of analysis. If I
> "rely upon" my car to get me from point A to point B. Maybe it's because almost
> all such cases of decision to use Google or use my care are implicit based on
> prior personal experience. (I remember first learning to drive and I had no such
> trust in my car at that time.) I think of "relying on my car" or "relying on
> Google" in the sense that I've already made a decision sometimes in the past
> based on nothing obviously bad happening and based on that, have decided to
> accept the benefits over any inherent risks. And I do that even when there are
> other equivalent, but safer, alternatives exist in it's place, such as using
> DuckDuckGo for Internet searches rather than Google search.

Yes - we rely on things that always work.  Unless they're broken. But 
that's a statistical thing, so reliance just includes a certain 
percentage of brokenness.

iang