Re: [Asrg] Trust, misunderstood?

[Yakov Shafranovich <research@solidmatrix.com>]

At 09:48 PM 7/2/2003 +0100, Danny Angus wrote:

>Hi all,
>
>There's been some talk about trust systems recently, I think I instigated
>some of it, and I feel that a number of comments have been made which kind
>of miss the point about trust. I'd like to outline my take on trust and why
>I believe trust should be considered by this group.
>
>First off trust isn't an absolute. Realistically I can only trust people I
>know, and even then I could misjudge them. To rely on another person's
>judgement is more risky still. It is also all wrong to think of trust as YES
>or NO, there are degrees of trust, some people we'd trust with our lives,
>others with our car keys, yet more with our phone numbers. We don't say YES
>or NO to the phone number guys, we say "I trust you just enough not to abuse
>this information"
>
>Secondly in existing trust mechanisms it is possible, but not widely used,
>for end users to make decisions about whom of trust issuers they will trust,
>and accept the judgement of in assessing an unknown third party.
>[..]

The trust problem has been mentioned in one of the Internet Drafts written 
by IAB (http://www.iab.org/drafts/draft-iab-e2e-futures-02.txt):

---snip---
3.1 Lack of Trust

   Perhaps the single most important change from the Internet of 15 years 
ago is
   the lack of trust between end nodes. Because the end users in the 
Internet of
   15 years ago were few, and were largely dedicated to using the Internet 
as a
   tool for computer science research and for communicating research results,
   trust between end users (and thus between the end nodes that they use) and
   between network operators and their users was simply not an issue in 
general.
   Today, the motivations of some individuals using the Internet are not 
always
   entirely ethical, and, even if they are, the assumption that end nodes will
   always co-operate to achieve some mutually beneficial action, as implied 
by the
   end to end principle, is not always accurate. In addition, the growth in 
users
   who are either not technologically sophisticated enough or simply 
uninterested
   in maintaining their own security has required network operators to 
become more
   proactive in deploying measures to prevent naive or uninterested users from
   inadvertently or intentionally generating security problems. One of the 
most
   common examples of network elements interposing between end hosts are those
   dedicated to security: firewalls, VPN tunnel endpoints, certificate 
servers,
   etc. These intermediaries are designed to protect the network from 
unimpeded
   attack or to allow two end nodes that may have no inherent reason to 
trust each
   other to achieve some level of trust; but, at the same time, they act as
   impediments for end to end communications.
----snip---- 


_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg