Trust is not:
Trust values: Trust has a minimum of three possible values: +, 0 and -
1997 note: This is a work document for open peer-review and public discussion. It may change frequently.
2004 Foreword: Trust is the problem. Understanding human trust is exactly what brought me to that great IT question in 1997: how can I trust a set of bytes? My answer, given in this original paper draft, provided a framework that has been useful in the field of information security. The answer also provides a framework for understanding human trust (as expected fulfillment of behavior) and bridging trust between humans and machines (as qualified information based on factors independent of that information).
Trust is essentially communicable. But trust, as qualified reliance on information, needs multiple, independent channels to be communicated. If we have two entities (e.g., a client and server) talking to one another, we have only one channel of communication. Clearly, we need more than two entities. It seems unreasonable to require a hundred entities. The answer, looking into millennia of human uses of trust, is that we need at least four parties to induce trust (i.e., to communicate trust ab initio): the two parties in a dialogue, at least one trusted introducer and at least one trusted witness. Trusted introducers and trusted witnesses allow you to build two open-ended trust chains for every action, the witness chain providing the assurances ("how did we get here?") that led to action (including the action itself) while the introducer chain ("where do we go from here?") provides the assurances both for a continuation of that action and for other actions that may need assurances stemming from it. I call this principle the Trust Induction Principle: to induce trust, every action needs both a trusted introducer and a trusted witness. Please google for "gerck trust" to find newer papers, applications and also comments by others.
To the weary reader: The bottom line: Trust in cyberspace (e.g., between machines) is defined and is based on the same notion of trust, as a form of reliance, that we have been using for millennia between humans and in business. Using Information Theory terminology, this paper defines this notion of trust as: "Trust is that which is essential to a communication channel but cannot be transferred from a source to a destination using that channel." Why is this important? Why would you need to ever use the concept of trust in communications? Because you cannot always directly measure, feedback and control everything that may affect your communications. In the Internet, for example, you cannot control both sides of a communication channel. You need to use trust (and use trust well!) when it is not possible, or it is not convenient, to apply the laws of control with their specific requirements for measurement, feedback, processing and channel capacity. Moreover, the trust solution is not some form of "hope all is well". The trust solution is mathematically defined and embodies laws of trust that are exemplified for open-loop control in communications, Internet security applications, and human-human, human-machine, machine-machine dialogue.
This work presents a formal and abstract definition of trust which allows any number of explicit trust definitions to be derived for different application areas, such as communication systems, digital certificates, cryptography, law, linguistics, social sciences, commerce and day-to-day living -- providing mutually compatible and useful real-world trust models or trust instances. The paper presents more than thirty of such equivalent instances, and discusses their general formation rule for qualitative as well as quantitative uses of the concept of trust. The paper also compares and contrasts trust with auditing, power, belief functions, probabilistic models in the frequency and the Bayesian interpretations, fuzzy logic concepts, surveillance, open-loop control, risk, insurance, information, meaning, accountability, reasonable reliance, justified reliance etc. From the discussion, trust emerges as the mathematics of subjective certainty and precision -- a concept to be further developed in the context of non-boolean logic over a multivector space in Grassmann Algebra.
Note 3: The abstract trust definition presented here is a single, implicit formal definition that depends neither on instances nor on observers. The concrete realizations of trust in real-world usage built using the abstract definition, however, can depend on references and may have many representations, as discussed.
Note 4: The terminology "real-world models of trust" is used for all particular instances that are derived from the abstract trust definition, as representations of it, and which apply to the real-world -- including the so-called virtual reality or cyberspace.
Note 5: A Summary is available at the end of the paper.
This paper will initially focus on the subject of trust in communication systems -- specially the Internet -- which will allow us to view trust within the broad picture of information exchange and follow Shannon's ideas as closely as we can, building a base and a unifying concept for all other uses of the concept of trust, even in other areas besides communication systems and Internet certification protocols. In fact, if there is information being sent or received whatsoever the medium (e.g., by TCP/IP Internet protocol, by fax, by written messages, by oral messages, by body language, by field measurements, etc.), whatsoever the communicating parties in any combination (e.g., persons, cybernetic agents, software, hardware, etc.), the formalism here described is general enough to be applied. Communication systems are thus a very intuitive framework and we can relate several examples to day-to-day experience and humanistic sciences -- as we investigate the abstract idea of trust and proceed to model it out of the "common denominator "of all its real-world molds, targeting a hopefully useful conceptualization of trust.
The first subject is on "modeling of trust" and not on "trust modeling" -- the second being derived from the first. What I am saying is that we must first define and understand what trust is (and, possibly, is not) in the context of communication systems before we go into cryptographic algorithms and message protocols -- which can serve well either to be a means of conveying said understanding or, of obfuscating said ignorance!
For example, today's Internet certification protocols such as X.509, PGP and others, take a leap of ignorance on what trust is and start by defining means to convey it. Such attitude is not even empirical, it is indeed arbitrary. To justify this leap of ignorance, standards such as X.509 have statements to the effect that "... such will be defined in the CPS, which is not a part of this document." -- as if assumptions could be defined after the theorems that use them.
This is important for three main reasons:
"Trust is that which is essential to a communication channel but cannot be transferred from a source to a destination using that channel."
We cannot use the same channel for both the information and the trust for that information, neither sending nor receiving. A decision to trust a set of bytes (such as someone's name, a source of a communication, a name on a certificate, a digital signature, or an electronic record) must be based on factors outside the assertion of trustworthiness that is contained in that same set of bytes. Likewise, a decision to trust someone must be based on factors outside the assertion of trustworthiness that the person makes for himself.
So how does the trust model work? -- This is the wrong question to ask here! The real question is: "What trust model would you like to use?" There is a built-in notion of the meta-rules (given by the trust definition), that any trust model has to follow, but I might buy a trust model from someone and add that model, design my own model, or even augment a model that I bought. Different trust models can be used as long as they conform to the given trust definition.
The problem today is, thus, basic: lack of understanding of trust's truth conditions cannot allow trust's truth-values to be well-defined, try as we may. And, such confusion is not a prerogative of today's Internet security protocols, as McKnight and Chervany show in their extensive study on the meanings of trust [McK96] in several other areas. It exists in all other areas where the concept of trust is used, such as in management, interpersonal relationships, business relationships, security policies, etc. And, cannot be solved by just positing a behavior for trust -- since trust is a fundamental concept both used and useful in the real-world as we can see by its widespread application in all cultures and respective law systems.
While the paper oftentimes uses humans to exemplify
notions of trust, it is not relevant if there is, or there is not, a human
in control of an end point, a machine or some software. It can very
well be another machine. Trust is defined in such a way that its usefulness
is no longer limited to human communication.
Now, in the Internet world, we have come to a standoff: either we develop a real-world model of trust or we cannot continue to deal with limited and faulty-ridden trust models that treat trust artificially and objectively, as the Internet expands from a parochial to a planetary network for e-commerce, EDI, communication, etc. We must be able to fully handle trust and all its subjective and intersubjective aspects.
And, what would be a "real-world model of trust" for communication systems, e.g. the Internet world? Akin to Information Theory, the concept of trust in communication systems must have nothing to do with friendship, acquaintances, employee-employer relationships, loyalty, betrayal and other overly-variable concepts. Here, trust is not to be taken in the purely subjective sense either, nor as a feeling or something purely personal or psychological -- trust is to be understood as something potentially communicable. Further, if trust must bridge different instances and observers, otherwise communication would be isolated in domains, then all different subjective and intersubjective realizations of trust must depend on some common, basic and abstract idea -- an archetype in some terminologies. As used in the context of Generalized Certification Theory [Ger98a] trust is, simply:
"trust is that which is essential to a communication channel but cannot be transferred from a source to a destination using that channel".
This is a formal and abstract definition of trust. It defines trust by the properties it obeys, without citing any context, without even providing an example we could denote -- it does not provide a value, only behavior. Thus, the given definition achieves the broadest possible conceptualization of trust, since it is both environment-invariant and observer-invariant (environment and observers are abstract). But, we expect it to contain the seed-thought or root-idea of trust. In other words, we expect it to contain trust's implicit truth conditions for any explicit trust application we may need, from the social scenario to automatic communication processes. This should afford an unified "gist" of trust to be perceived in all applications -- which we also expect to be close to the real-world gist of trust.
As a better approximation to the definition that "trust is what you know" in the anthropomorphic metaphor, consider that "trust is what you know you know you know" -- i.e., the lamb not only needs to know (i.e., be aware of, can spontaneously recall) that it knows the lion is not hungry but must also be able to know how to act upon that knowledge. At the human instance, this means that you cannot use your 'prior knowledge' (i.e., what you know you know) in order to do anything, unless you also know about the applicability of that 'knowledge'. The extension to software agents is immediate; for example a trusted mobile agent may not be trusted as a function of changes in its operating platform (the pragmatics used) -- even though the platform itself may be secure and expressible enough -- if you have no evidence of that.
Trust and information are to be understood thus as two cardinal properties of communication systems -- their interplay affording new modes of communication (to be dealt with elsewhere), for example allowing meaning (semantics in semiotics) to be relinked with names (syntactic in semiotics) at the receiver side [see [A.4.3].
To proceed, we can now specify the reliance metric and its applicability. First, I note:
(i) "that which an observer knows and can rely upon to some extent" can be modeled in Information Theory as an estimator with variance as small as desired, which estimator by an observer (quasi-zero variance), that has measured the expected unsupervised behavior (i.e., unsupervised by the observer) of an entity and,
The next explicit definition is thus "trust is that which an observer has estimated with quasi-zero variance at time T, about an entity's (unsupervised) behavior on matters of x". Note that the word "estimated" does not mean probabilistically, but is linked to any estimation or inference process in general -- such as by using inference, deduction, computability, probabilistic theories, constraints, etc., and also in combination. Hence, an observer can rely upon an estimator that it has obtained in the past in order to predict future unsupervised behavior of the entity regarding matters of x -- because the estimator has an expected quasi-zero variance.
Thus, trust can be described by a "Non-Probabilistic Inference Model of Trust" (NPIMT). Of course, "non-probabilistic" does not mean that probability is not used in the trust model -- as explained above.
The underlying concept of this model of trust is that of justification. It is not essential to this model of trust whether a natural or logical connection exists between trust and justification. Of course, the use of probability or deductive-logic may serve to raise the level of justification for a subject matter, when compared to a natural connection that is simply observed.
Justification defines the context of trust for the truster. In other words, justification defines the context of a relying party's (RP's) reliance . It's easy to say that a truster's justification of trust, or a RP's justification of reliance, is a matter of need. But this is not quantitative. If we are to make some progress in this, we need to define those needs as degrees or levels -- i.e., in terms that we can identify their differences and their required trust models. Thus, it all hinges on the definition for justification, as a metric function that decides what is justified and what is not. Which definition can be changed as needed, even for the same person in the same trust act (this might sound strange but is very much needed as we usually deal with more than one person/company at a time even for one transaction --e.g., buying, paying, delivery, maintenance, etc.). All these definitions, however, must interwork in terms of meaning. It is not enough that they interoperate syntactically.
I now introduce the concept of "best justification" as that justification level which leaves the truster with no doubts. This is consistent with the idea that trust (or distrust) is always 100%, what changes in value is the extent of trust that is chosen by the truster. Likewise, the extent of the doubts that must be satisfied in "best justification " is chosen by the truster.
To simplify, let us begin with the following five reliance levels, from
weaker to stronger, for a truster (or RP):
(0) What the truster relies upon without any consideration of "why" and without any recourse. It is a subjective metric, here called "open reliance".Another example might be what a fair random process might choose, given all possibilities. This is an objective metric, here called "statistical reliance", similar to the same concept in law, used in lotteries, auditing and some payment systems for example. Yet another example might be what has been verified with some chosen technology, but only automatically. This is an objective metric, here called "process reliance", and can be useful for security-automated processes.
(1) What the truster relies upon without any consideration of "why". It is a subjective metric, also called "actual reliance", similar to the same concept in law.
(2) What the truster relies upon because it is presented by a party accepted by the truster for that purpose. It is a intersubjective metric, usually called "authorization reliance", similar to the same concept in law.
(3) What the truster as a reasonable man might do, with all prudence that might be reasonable to use. It is an objective metric, also called "reasonable reliance", similar to the same concept in case law which establishes it as an objective test given by "what would be reasonable for a prudent man to do under the circumstances".
(4) What can be justified by the truster after an examination of the facts presented. It is a subjective metric, also called "justified reliance", similar to the same concept in law.
- "trust-point": matters of x, for a given entity and epoch.
- "trust": (noun) a linked collective of trust-points
- "to trust": (verb) to rely on trust
- "A trusts B on matters of x at epoch T": a boolean trust-proposition, which is either true or false.
Now, I note that "to rely" is an essential aspect of trust as a verb, since A cannot trust B on matters of x at epoch T unless A actively relies on that trust-point. I also note that when the definition says that "to trust" is "to rely on trust" this does not imply circularity because "trust" is used as a previously and independently defined noun in order to define the verb "to trust". Further, to compare with matters of law, the usual legal concept of "reasonable reliance" is understood [SCUS] to be an objective legal standard for collective evaluations (such as by a jury) while "justified reliance" is understood [SCUS] to be a subjective legal standard more generally acceptable for evaluating individual actions -- which makes "subjective reliance" in law very similar to the concept of trust based on the metric of best justification, as given above.
Which means that trust is not auditing -- trust is that which can be relied upon without surveillance by the observer (possibly because it cannot be measured due to physical, secrecy, cost, time or other difficulties). It is also possible for the observer to indirectly and anonymously gather sufficient information to define a suitable estimator for the entity's behavior on matters of x, without any contact with the entity itself --as when using a trusted proxy (which, however, depends on a primary trust relationship with the proxy). Further, the observer can also use the measured estimator at time T to analyze past behavior of the entity (i.e., before time T). So, the estimator can be seen as a quantitative forward- and backward-predictor for the acts of an entity regarding matters of x, when that entity is not supervised by the observer.
The next three paragraphs touch upon a large difference between the technical use of "trust" (as defined) and "trust" in the social and linguistic domains. The difference is not on the meanings of trust, which remain equivalent also with the considerations below, but how to represent different degrees and extent of trust. The exposition presents a method (based on full atomic qualification) which is precise and compact, well suited both for technical as well as for non-technical use -- however, perhaps too formal for every-day use. As the second paragraph shows, such "poetic" and "every-day" use of trust also wrongly permeates security work or communication protocols -- rendering trust concepts difficult to use, because ill-defined. This may explain trust's "bad name" as a difficult concept, perhaps even as an overly-loaded terminology. The problem is not however in the concept of "trust" by itself, but in using wrong trust quantifiers. The third paragraph extends the method (i.e., based on full atomic qualification) to the questions of defined versus undefined trust, allowing indeterminacies to be resolved in a simple and intuitive way.
To represent degrees of trust, the estimator's (quasi-zero) variance is not allowed to change, because such would not be a useful model (see next paragraph). Rather, without loss of generality, the estimator is kept at quasi-zero variance but its reach (e.g., as given by matters of x) is increased to reflect a higher degree or decreased to reflect a lower degree of trust. This is similar to the mathematical procedure of finding an area under a curve that represents near 100% reliance (i.e., quasi-zero variance) on matters of x. In other words, we regard the issues of reliability and accuracy as two fully independent variables: (i) high-reliability is demanded as the primary parameter and is reflected in the estimator's quasi-zero variance or high-reliance, (ii) accuracy is measured by the extent of "matters of x" that still allows high-reliability. Thus, if the observer has no trust on the observed entity, then x is the empty set (i.e., 100% reliance on nothing represents zero area under the curve -- or, no trust). As the observer increases its degree of trust on the entity, then the estimator becomes more and more complex and represents an enlarged set of matters of x for which the entity can be represented with quasi-zero variance (i.e., with near 100% reliance) -- i.e., achieving more accuracy for the predictions, but without sacrificing reliability. This means that trust can also be defined explicitly by "trust is that which an observer has estimated with high-reliance at epoch T, about an entity's (unsupervised) behavior on matters of x".
Oftentimes, some trust models, risk management policies and security policies try to qualify degrees of trust with concepts such as "partial trust", "marginal trust", "fully trusted", or by defining multi-level logic with rules for majority voting and precedence. That is done to try to convey the idea of how well can "trust be trusted" -- which easily leads to circular truth conditions and undefined statements. For example, does "partial trust" mean increased unreliance on the expected outcome, on the expected model for all possible outcomes or a reduction on the model's scope? Partial in relationship to what? Thus, such trust "qualifiers" are unable to address atomic qualities in the trust concept and just operate, at most, as a collective qualitative indicator from that particular observer's viewpoint. The author takes the stance that no qualifiers whatsoever (i.e., partial, marginal, complete, bad, good, large, small, minimum, maximum, etc.) should be used with the word trust because they are neither well-defined, quantitative nor needed. Further, they introduce an additional layer of intersubjective concepts and they decrease the semantic importance of the word trust itself. Instead, it is better to recognize that the concept of trust has already by itself such qualifiers "built-in" in its own qualifier "matters of x" -- which can however include the atomic qualities which are unaddressable from without. To exemplify, compare the phrase "Bob has partial trust that Alice will not receive a ticket for speeding" with "Bob trusts Alice on matters of x", where "matters of x" is "Alice may receive tickets for speeding". The same thought is expressed in both phrases but the last phrase allows a precise answer to the question "What is trusted?" and can thus be directly applied in appropriate predicate calculus. The last phrase can also easily lead to a quantitative and atomic treatment, when Bob has more knowledge on Alice's behavior and may be able to define "matters of x" as "Alice receives tickets for speeding with a 10% chance every time she drives at night, with a +-5% absolute variance". It is not necessary either to define distrust or lack of trust, because distrust is simply the atomic negation of a particular matter of trust, which can be as extensively negated as we need, e.g. in "Bob trusts Alice on matters of x" where x is the null set -- so that effectively Bob trusts Alice on nothing. However, trust can be negative as when you affirm that you trust someone to be untrustworthy. Further considerations on these issues are given below and in the discussion on matters of x.
Still on the question of degrees of trust, it is also customary to discuss "unqualified trust" versus "qualified trust" -- with expressions such as "Alice trusts Bob" being "unqualified trust". This paper takes the stance that such expressions are dubious, are not necessary and should not be used in technical work (albeit possibly useful in poetry) -- for example, in "Alice trusts Bob" is "matters of x" unknown, abstractly defined by Alice or, is x the Universe set? As explained in the former paragraph, the built-in qualifier "matters of x" has to be recognized and its truth-value must be defined in the trust proposition -- e.g., by defining "x" in "Alice trusts Bob on matters of x". Thus, if one means that Alice trusts Bob on all matters then this can be expressed by using "x=U", where U is the Universe set. Or, if one means that its value is abstractly defined by Alice then one uses "x=Alice" and this means that Alice defines what Alice trusts on Bob. If "matters of x" is unknown then one uses "x=0" where "0" is the null set -- i.e., trust on the unknown has a null set of trusted matters. This standard usage allows a precise statement of the trust proposition, clearly a need for precise calculations, which is natural and easy to define in the presented formalism. As a special case, it is however useful to define that "Alice trusts Bob" necessarily means the case with x=U -- which matches the intransitive usage of the verb trust, as "In God we trust". Thus, without a "matter of x" qualifier, an unambiguous and intuitive use of the trust proposition "A trusts B" should imply that the qualifier x must be equal to the Universe set.
It is instructive to view trust as an open-loop control process, in control theory terminology -- i.e., a control process which does not rely on a closed feedback loop in order to achieve its purposes. This comparison allows one to recall the advantages and disadvantages of open-loop control (e.g., trust) vis-a-vis closed-loop control (e.g., close surveillance) and apply them to the case at hand. In control theory, the basic parameter to measure performance is position-error -- which translates here to the trustee's actual response as compared to its expected or estimated (i.e., trusted) response. In open loop-control, one method frequently used to decrease position-error is to introduce periodic checks of any convenient system variable, not necessarily the control variable. This is equivalent to the well-known dictum: "trust but verify" -- implying the need for a pre-defined policy of checks and balances that can periodically adjust the trust estimator as a function of observed behavior. Further interesting qualities of trust over close surveillance can be exemplified by the mentioned control theory analogy, regarding the main advantages of open-loop control over closed-loop control: simpler systems (hence, less cost and better fault-tolerance), immediate response (i.e., nothing needs to be measured in order for it to operate), easier design (e.g., avoiding probable but unknown pitfalls of complex designs), easier interfacing (i.e., suffers and exerts less influence on the rest of the system), modular design (i.e., complete and interchangeable), cheaper, etc. Thus, trust can also be explicitly defined as "trust is an open-loop control process of an entity's response on matters of x" or, less precisely but more concisely, also as "trust is to rely upon actions at a distance".
Trust on an entity cannot be viewed as a consequence of insurance or, as often wrongly expressed "It's not about who you trust, but who backs and indemnifies the context of the trust" . The use of insurance always signals lack of knowledge -- so, clearly, it cannot replace it, it cannot replace trust. Further, there is no insurance needed for a sure event and there is no insurance possible for a sure risk. To exemplify another problem caused by such understanding, if a truster (e.g., a CA subscriber that trusts the CA) is going to for pay insurance to cover his liabilities and the trustee's (e.g., CA's liabilities) -- which is what it would amount to if trust would be based on insurance because the bill has to end somewhere -- then responsibility has gone full-circle and is now only in the truster's hands -- both to get adequate coverage and to pay for it. While the trustee (e.g., the CA) has zero risk. However, that does not solve the risk problem for the truster either, if the trustee's acts may affect third-parties -- such as when a CA's (i.e., the trustee's) certificate is issued for a CA subscriber (i.e., the truster) but will be actually used by a generic user (i.e., a third-party) to certify the subscriber. Here, one cannot make the whole world sign up one huge insurance policy -- so the truster and the trustee may be protected by the insurance policy that the truster has bought with their names as beneficiaries but that does not protect a generic third-party (i.e., the rest of the world) that may rely upon the trustee's acts on behalf of the truster (e.g., the certificate issued by the CA and purportedly including the intended subscriber's correct data).
Trust is not to be confused with accountability -- as sometimes expressed: "for e-commerce, trust is pretty well irrelevant and what you need is accountability". Indeed, the interplay between trust and accountability is sometimes difficult to delineate. But, here, logic can help. Suppose you have the information that A is accountable on matters of x. Can this information be trusted? So, trust is the vehicle, the carrier for accountability.
Trust is not belief but may be expressed in terms of belief. As one can derive from the work of Dempster and Shafer [DS97], [Ger97], "belief is the probability that the evidence supports the claim". Thus, belief can indeed be used to gauge reliance on a trust-point, i.e., to verify if "matters of x" really represents "well enough" the entity's actual behavior vis-a-vis the evidence. If one uses the concept of belief, then trust can be defined by "trust is received information which has a degree of belief that is acceptable to an observer" -- which is linked to the concept of local knowledge in [Ger97], hence "trust is knowledge acceptable by an observer".
Trust is not probability, neither in frequency nor in Bayesian interpretation, but may be expressed in terms of probability in either case. The frequency interpretation suffers from the "objective" aspect it assigns to probability and from a strong dependence on past events -- while trust is subjective and may suffer an abrupt transition to zero in one event. In the Bayesian interpretation, even though one can compare Bayes-belief between different events and such belief is subjective, "Bayes-knowledge" gained from recent events and knowledge assumed from prior events cannot be treated as members of the same set of "knowledge". Thus, "new trust" would be essentially incompatible with prior trust, under Bayes. For example, "new trust" would need to be binary and could not be learned unless a non-zero probability for it already existed. Difficulties in the belief revision aspects of Bayesian probability are important here, as discussed in the literature for example by Wang [Wan93]. Further, some aspects of trust imply conceptual coherence, while probabilities only describe perceptual coherence. For example, if I have a formula that can purportedly calculate any n-th digit of pi in base-16 (the Bailey-Borwein-Plouffe pi formula), then my trust in this formula depends on its conceptual coherence with the underlying mathematics. Which trust can justify my reliance on all its possible perceptual outputs even though I cannot perceptually measure all of them (i.e., I cannot verify all the infinite digits of pi that the formula can predict, to see whether they are true or not).
As initially defined by Wally [Wal91] but modified here in order to disambiguate imprecision from randomness and uncertainty from outcome prediction, the terms uncertainty and imprecision can be used to highlight different aspects of models. I define that a model is uncertain if we cannot make statements about a single outcome, or certain otherwise. The binomial model for flipping a coin is a good example of an uncertain model, as we cannot predict a single flip, even though we are sure that half of the tosses should come up heads if we wait long enough. A model is imprecise if we cannot predict the long run behavior, or precise otherwise. For example, we may have insufficient information about the failure rate of a component of a new car type, in order to make a precise model. Using this terminology together with the usual definitions for objective and subjective, we can see that probability is an objective (frequency analysis) or subjective (Bayes) precise uncertain model, belief is a subjective imprecise uncertain model, fuzzy logic is an objective imprecise certain model, whereas trust is a subjective precise and certain model. Thus, probability is the mathematics of objective and subjective uncertainty while trust as defined in this paper aims to be the mathematics of subjective certainty and precision.
Trust can be negative -- meaning that you know you cannot trust. This is a situation of "knowing with qualification that there is a definite lack of trust", exemplified by the phrase from an actual work e-mail message (names changed) by a contributor to this discussion: "As I stated to James in our Team phone call on Wednesday, Acme has now taught us to trust Acme to be untrustworthy, and we must hold that trust until Acme breaks it, since there is no basis for any other kind of trust." Of course, if we know we cannot trust then that qualified lack of trust is trust.
Trust can be neutral, neither positive nor negative, as exemplified by case C for Phill's modem in the Appendix [A.4.10] -- corresponding to the case where one needs no trust. As explained in NOTE 2, "needs zero trust" or "needs no trust" is not the same as "has no trust". To say that "channel A has no trust for property X" is the same as to say that "channel A does not transfer trust for property X" -- so, if you need trust on property X you cannot use channel A alone. However, when channel A "needs zero trust for property X" it means that no other channel is needed in order to transfer property X, but channel A.
It is interesting also to compare trust with risk -- which is one of the counterparts of trust. Indeed, if the risk is null then anyone can be trusted. Or, if the risk is sure then no one can be trusted. Further, more trust means less perceived risk that some piece of data, behavior, etc. will turn out to be different than expected. The comparison between risk and trust seems to have another contact point: this paper considers that trust indeed has components which must be individually "perceived" or earned -- in the same way that risk must be individually "perceived", cf. Shrader-Frechette [S-F97]. This means that neither can be just "assigned" -- because both are linked to what an observer can estimate and rely upon to some justifiable extent. In her study on risk evaluation, Schrader-Frechette explains:
However, trust should not be confused with the absence of risk. The fact that some parts (i.e., aspects) of trust may use risk to formulate a decision process does not mean that trust as a whole must be based on risk. Further, if an aspect of trust uses risk as a tool in the decision process to trust then that part may be described by probability but, not necessarily -- as risk may not be ergodic itself.
Further comparisons can be useful, indubitably. They are also interesting to exercise the explicit meanings of trust which are being developed as stances of the abstract definition. However, Section 4 will provide general arguments that will allow a broader understanding of the role of trust in communication systems -- making it possible to deal at once with several comparisons. Section 3 deals with the need for such comparisons, as a way of measuring if and how well the abstract definition of trust can represent reality -- as a source for useful real-world models of trust.
This paper considers trust to be essentially subjective, as one of its main truth conditions. Which may present an apparent contradiction with situations where trust may be perceived by some as objective (such as trust on an objective fact -- e.g., life and death, money) or sometimes also as intersubjective (such as trust on a professional ability -- which also depends on the chosen professional). The main word here is "subjective" -- which means that one needs to take a subjective or personal instance in order to evaluate an object. For example, beauty is a subjective concept ("beauty is in the eyes of the beholder"). A secondary word is "intersubjective" -- meaning that this instance can yield different results for objects of the same class. For example, a medical diagnosis for a patient is intersubjective because the diagnosis itself is a particular instance from the class of all diagnosis possible for that patient at that time, each clearly dependent on the patient's relationship to the physician and different from the other. It is interesting to note that an intersubjective concept is overly-variable in reference to a subjective concept, because it also depends on the particular instance of the class' object.
Thus, the paper considers trust to be subjective ("trust depends on the observer") because trust is similar to beauty and dissimilar to a medical diagnosis in that regard: trust and beauty are abstract objects that cannot be differently instantiated. However, even though trust is subjective, trust on a CA certificate is intersubjective because it cannot be harmonized or harmonizable for all CAs or, even, for all similar certificates issued by a particular CA. The conclusion is clear: trust is subjective but can acquire an intersubjective dependence. Further, the subjectiveness of trust may still allow a possible coherent intersubjective concordance over a large population in regard to one entity -- which could lead to an impression of its objectiveness.
Therefore, the proposed definition of trust can also easily explain the oftentimes contradictory and seemingly confuse behavior of objective, intersubjective and subjective perceptions of trust -- leading one time to what seems to be "objective trust" (e.g., currency, life and death cycles, the Earth's orbit, etc.) when there is a large collective of agents that coherently trust one target, other times to "intersubjective trust" (e.g., mother and son, certificates from a CA, etc.) when there are some collectives of agents that develop mutual trust relationships, and still other times to "subjective trust" when the subject independently defines who or what the trustee is. Therefore, all these "trust modes" can be simply explained by recognizing that they depend atomically on the collective and individual actions of a large or small sample of agents that, nonetheless, trust one another entirely subjectively. Which easily explains historical difficulties such as faced by Galileo Galilei, when he proposed to change the then "objective" trust that the Sun revolved around the Earth. Clearly, it is much more difficult to change trust when it is confused with fact -- which was the case.
As this paper shows, all trust is essentially subjective and all
trust is essentially knowledge that an observer has acquired and upon which
can rely to some extent -- which means that the observer not only evaluates
trust but also stores it either directly or indirectly, with all its multiple
interdependencies and relative reliabilities along a timespan. If
the occurrences that we see in time are called "perceived facts" --
whether objective, subjective or intersubjective -- then trust is not the
facts themselves but knowledge about the perceived facts -- which depends
on each observer. Essentially, in our interactions, we compare trust
-- not perceived facts and not facts. The same happens with our cyberagents,
software programs and also hardware -- which can then be recognized as
equally able to deal with and use "their" trust as we can with ours, even
and most importantly when in interaction with us. As we can understand from
the given real-world models above, this allows a common ground for
process-trust and social-trust, linking cyber and 3D worlds.
trust: "trust about an entity's behavior on matters of x is that which an observer has estimated at epoch T with a variance as small as desired",or, conversely, by the equivalent explicit definition:
trust: "trust is to rely upon actions at a distance",
trust: "trust is to rely upon reactions at a distance",
trust: "trust is to rely upon actions or reactions at a different point in space or time",
trust: "trust is qualified reliance on information, based on factors independent of that information",
trust: "trust is reliance on received information, coherently with some extent",
trust: "trust is what an observer knows about an entity and can rely upon to a qualified extent",.
intersubjective trust: "trust is a bilateral agreement, not necessarily balanced" -- which means that it can include skewed relationships,
trust: "trust is knowledge acceptable by an observer",
trust: "trust is that which provides meaning to information",
trust: "trust is a link between reference and referent",
trust: "trust is a link between referent and sense",
trust: "trust is a link between reference and sense",
trust: "trust is measurable by the coherence of understanding"
trust: "trust is that which absence can make any state possible",
trust: "trust is that which absence can make any state transition possible",
trust: "trust is that which absence can make a process non-ergodic",
trust: "trust is that which absence cannot justify reliance",
The following definitions are also useful, in terms of the concept of a "trust-point" for "matters of x" [A_3], where a trust-point is the "elementary unit" of trust in a given metric:
Why trust propositions are binary? An anthropomorphic example may help to explain. You are the collection of your thoughts, some of which are assumptions to you and you are not quite sure of. Other thoughts are self-trusted by you and you know you know that you can actively rely upon them. For example, your name has self-trust to you. Do you have reasons to believe it is true? Is your name your name? Certainly, is perhaps the answer I would hear from you or from anyone else. But, what is the dividing line between assumption" and "trust" in your mind? Depends on you, on each human being, and mainly reflects your "best justification" metric For example, Descartes, the French mathematician and philosopher, used a very strict justification when he said that the only thing he was certain of was that he existed and that he was certain of it because he could think ("Cogito, ergo sum" -- "I think, thus I exist). From that starting point, he constructed his reality -- what he trusted. So, to Descartes, not even his name was trusted by him at first, in his analysis. He answered "false" to the same decision problem you and everyone else would probably answer "true". Thus, why trust propositions are binary? Because you have to decide. Either you act, or you don't. You may rely to any degree as given by the extent of matters of x -- but you must know 100% if you rely or not.
It must be pointed out that while many more explicit definitions of trust are possible, also as a function of pragmatics (in semiotics), the abstract definition is perhaps the most general and invariant formulation -- the seed-concept for all the other definitions of trust. As shown also in the Appendix, not only useful explicit definitions for process-trust but also for social-trust can be derived from it. Thus, whenever we refer to the "trust definition" we mean the abstract formulation in first place and the explicit forms as secondary. It is also important to note that other abstract definitions can be derived from the given one, not just explicit definitions, but that is usually not so useful because abstract definitions cannot be directly applied to a case without first defining the stance and the observer (i.e., by defining an appropriate a explicit definition).
However, what is the use of so many different derived definitions? Here lies one of the most powerful aspects of the present treatment -- since all such definitions are equivalent, they can be potentially mixed with one another in adequate logical propositions that may allow for different trust stances and observers to be combined, as necessary. This means that, for example, one may perfectly well consider in one statement a trust proposition that depends both on trust on a system (which is process-trust and acquires an objective quality) and, trust on the intentions of a person using such system (which is social-trust and has an intersubjective quality). The different statements (i.e., social versus process trust) would simply use different trust-points to represent the different operators for matters of x.
Another question that the reader may have at this point concerns a perhaps expected polemic around the above definitions, specially the abstract definition -- "is the abstract definition of trust the right one?". Clearly, this is a right question. Paraphrasing Tarski [Tar44], I hope that nothing that I have written here, will be interpreted as a claim that the abstract definition of trust is the "right" or the only possible one. However, what is "the right one"? Here, perhaps the only metric we may accept is that given by Leshniewski and quoted as this paper's motto: "A theory, ultimately, must be judged for its accord with reality". This is the reason why we have extensively looked into the question of what trust is and what it is not, when comparing the predictions made by the abstract definition with the technical and linguistic usage (see A.2) of the word "trust" in our reality -- for several stances and observer relationships. We have indeed verified that the given abstract definition produced results which were semantically equivalent to a series of meanings of the word trust which were investigated, with no exception. Since we covered the majority of meanings that are needed in communication systems, based on several common stances and observer relationships, the paper justifies the abstract definition by its accord with reality -- at least, for the tested part of reality. The reader is invited to test other parts of reality and to communicate the results of such tests to the author, either for positive or for negative findings. Particularly interesting could be the application of the abstract trust definition to other areas besides technical communication processes , such as to test its usage also when modeling trust for legal and social communication processes -- e.g., power relationships, managerial activities, auditing, interpersonal relationships, art evaluation, etc.
It is useful also to consider the question whether the author should have used a different word, for example "drust", instead of "trust" for the abstract definition. However, the objective -- from the onset -- is to define "trust" so that the abstract definition must be able to produce explicit definitions which should be equivalent to the real-world (i.e., social, legal, etc.) uses of the word "trust", at least for the majority of useful cases. Thus, the question is not what is the concept herein defined, but whether it is equivalent to what one would expect from linguistics, social sciences, etc. Which, indeed, is the case at hand -- as already commented above.
The provided trust definition leads to several consequences, to be pursued elsewhere, but the ones we need to cite here are:
The concept of self-trust depends also on communication channels, but from past to present. Thus, the entity can transmit information to itself at a later time, which is called memory. Self-trust depends on the contents of such memories, when the entity can rely upon them to some extent.
The same considerations above can also be used to understand
actions that may increase or decrease network security, where "self" is
the particular autonomous unit being considered (e.g., a program unit,
a smart-card, a piece of hardware, etc.). In the particular case
of Internet security, self-trust is concerned with spontaneous capabilities
and performance, including the pragmatics (i.e., the area of semiotics that
describes the environment and passive/active attackers/observers) but without
any stimulus to self from the pragmatics.
What is then the solution? How then and to what measure can I acquire and communicate trust?
First, trust cannot be thought of as a type of authorization loop, where trust flows from the source to the destination and back to the source, similar to a battery and electric current. 
Further, contrary to information, trust cannot come in by a type of add-on -- such as modulation on a carrier. Why? Because when you modulate a carrier you are encoding information into that carrier and you suppose that the carrier is pre-existent -- so the carrier has a very low information content while the modulating signal has a very high information content. Ideally, 0% and 100%. On the other hand, according to our definition, trust must have zero information content (trust is what you know).
So, trust cannot be thought of as a modulating wave -- it is the carrier! This is the paradigm shift that the development of intrinsic certification [Ger97] was based upon in the first place. First acquisition, then recognition.
Without the need to continue with a stepwise investigation as done in Section 2, we can now generalize. The bottom line is that trust is akin to a carrier of information -- which information can be anything we may need: accountability, evidence, responsibility, validation, reliability, generalization, uncertainty, consistency, truthfulness, legal reliance, liabilities, warranties, ethics, monetary values, contract terms, deals, person's name, person's DNA, fingerprints, bank account number, public-keys, etc.
So, not only accountability but even truthfulness depends on trust. Trust is a basic property of communication channels, similar to information. I could say, in a very broad generalization, that "everything is information and rides on trust"... which trust allows you to act or not, when based on that information. So, this is a second-order Information Theory -- in which we are not any more interested only on how much "surprise" data is being transferred over a channel -- as measured by the uncertainty of the party as to what the message will be. Rather, I now focus on what is essential to that message but which cannot be transferred using that channel (as trust is defined here) -- which can be equally quantitative as information, though both are subjective.
For further examples of using the abstract definition of trust, see A.4.10, A.4.11 and the mcg-talk list repository.
My following assumption then is to mathematically model any suitable explicit definition of trust (i.e., this is not a play on words but we have to model our real-world model of trust) as a multivector operator on information, which is parameterized by (t,d,s,...) where t=transitive, d=distributive, s=symmetric, ... + other properties such as time (see ). Of course, the mathematical model may change if we change the explicit definition used to form the representation -- but all models are upward compatible with the single abstract definition of trust.
Any suitable trust model can now allows us to answer the basic trust questions, as a function of cost and risk .
When (t=0, d=0, s=0, T=0, ...) we have "hard-trust" -- i.e., zero information content (no surprises) and no risk. But, also, as isolated as an island -- trust cannot be acquired or communicated.
When we allow the parameters (t,d,s,T, ...) to take non-zero values, then we have "soft-trust" -- i.e., non-zero information content (bad and good surprises) and ... risk. Here, trust can be acquired and communicated but always tainted with information. In other words, "hard-trust" is only applicable to self-trust -- because self-trust is untainted by information (by definition, since it is known to the observer). However, trust must be properly gauged  also as a function of risk/cost if it is to be properly used in the soft-trust regime.
As a final remark on the mathematical properties of trust, a cursory
reading of this paper may give the impression that trust just depends on
appropriate out-of-band information. For example, one may think
that trust is warranted if "I, entity A, have independently verified
that the certificate is in fact from CA B, by virtue of having exercised
the appropriate out-of-band security procedure to confirm its authenticity".
This is far from truth, because of two main reasons already mentioned above:
(i) the non-boolean properties of trust and, (ii) the multivector aspects
of trust as a mathematical operator. For some examples, see .
This highlights the importance of the study of the mathematical properties
of trust, briefly sketched here and in the Appendix. Further references
are contained in the mcg-talk list (under the author's number-ID
416720) and in the sci.crypt newsgroup as well as in the lists e-carm,
cert-talk , dig-sig, ssl-users, ssl-talk, spki and others (under
the author's name).
When trust is represented as qualified reliance on received information,
it allows the definition of mathematical operators which can represent
the concept of soft-trust, when the truster permits (as in the real-world)
some degree of transitivity, distributivity and so on, which turns
out to be essential to Internet communication processes -- but which
open a series of security risks, as discussed in a broad context.
In practice, the theory is always more complicated.
Currently, the work proceeds on the development of a proper trust algebra (using Grassmann's Algebra) that can represent and allow soft-trust and its risks to be calculated with a type of proposition calculus. Trust algebra is non-boolean but begins with boolean propositions of the type "A trusts B on matters of x at epoch T" and unfolds into fully intersubjective calculations on n-dimensions, which can be visualized by using the concept of multivector intersection in Grassmann Algebra. Trust has thus subjective, intersubjective and objective components -- as a multivector of arbitrary dimension. Trust can be shown to be a cardinal property of certification systems, as discussed in "Why is certification harder than it looks?".
The arguments presented in the paper show already several common mistakes that we must be aware of and avoid, when dealing with the concept of trust in Internet certification, which are discussed in the Appendix -- specially A.1. Taking such model of trust further, as it will be presented in future papers and in the Meta-Certificate Standard, leads to what is called "archetypical trust model" as presented in the MCG-FAQ. In the model, even though the trust operator is clearly non-Boolean (see the mathematical properties above), it can be used to construct Boolean trust propositions (A.3) that can represent not only binary but also tertiary, quaternary and generic m-ary trust relationships. The concept of "critical radius of trust" is also derived from space and time considerations of differently interacting agents, where the critical radius is defined as the reach of soft-trust where risk and cost are equal.
As recognized in linguistics and semantics, words should be used within their generally accepted meanings as much as possible (in fact, some claim that this is the main difference between science and poetry...). The paper showed that the full content of the accepted social meanings of the word trust, albeit of difficult conceptualization [McK96] in its real-world and social uses, could nonetheless be well-modeled by an abstract definition of trust within the framework of Information Theory and communication processes -- thus rendering possible its scientific and technical use a par with the social meanings. Semantically, the abstract definition of trust contains the seed-thought of the full concept of trust, which unfolds as explicit truth-conditions when applied to each practical stance , which, in turn, may provide different truth-values to each observer. The abstract and the explicit definitions of trust can thus provide a common ground when dealing with trust, in any context. Trust is also shown to be a new type of measurement: how to rely upon actions at a distance. Thus, trust affords an answer to the problem of measuring events that are important, significant but which are essentially unreachable -- as strongly exemplified in the Internet, but which may have applications in other areas of communication systems and science.
Further, since trust can be shown (see A.4.3) to be essential to allow meaning to be conveyed in communication, and not just references, this paper advances the thesis that trust is a basic property of Nature, such as time and information. Without trust, communication in Nature would have no meaning -- which is clearly not the case, and which negation supports the thesis. Further weight to the thesis comes from the very historical difficulty to define trust so far, as mentioned in the paper, which points out the basic nature of trust, as with any concept that cannot be well-defined because it is primary -- e.g. time.This shows the futility of any approach that may try to qualify trust by maiming it -- i.e., by denying some of trust's truth conditions. Of course, by artificially changing the contextual meanings of trust one cannot hope to change the need to understand it or the need to use the true richness of the concept it denotes.
Forthcoming papers will show that trust and information are necessary
and sufficient properties of a generic communication system that can use
pragmatics (environment) to transfer not only syntatics (reference)
but also semantics (sense) from a source to a destination; some results
are already available in the Appendix (see A.4.3)
and in the mcg-talk or trust-ref exchange.
1. Model of Trust versus Trust Models
The title is "Toward a Real-World Model of Trust" -- which has two sides:
First, some think that one cannot compare the "digital" and "emotional" concepts of trust -- the "digital" concept being the technical use of the word trust as in communication processes, root-keys, digital signatures, certificates, etc. and the "emotional" concept being the social understanding of the word trust in commercial, legal and personal dealings.
Clearly, and to fix notation, the term digital trust is inappropriate when applied to a communication process -- which can also be analogue. Similarly, technical trust is also misleading, e.g. a technical argument in law is quite different from a technical argument in engineering. The best word here might be "process trust", which allows not only the protocol but also the software, hardware, etc. to be included in the trust concept -- e.g. a modem can also be trusted in the communication technical sense. Similarly, "social trust" might also be better word to represent the emotional, real-world, 3D or personal aspects of trust. So, I will use preferentially both terms below: process trust and social trust.
The concept of process trust has several definitions, as I have located them and there are possibly more.
1. NSA: "a trusted system or component is one with the power to break one's security policy" .
Having presented the various definitions found for "process trust" and "social trust", we can easily observe that they are not even concordant between themselves -- much less with one another.
However, it is perhaps clear that they should all be equivalent, even though different in their own domains. In other words, it should be possible to find definitions of trust in each domain that would carry over to one another as a matter of proper focus.
Thus, in this view, both "types" of trust are not apples and speedboats. Communication protocols can and should indeed be based on social trust concepts -- i.e., real-world concepts -- and not on some ad hoc and academically unrealistic models. For example, a security design that considers trust just a synonym for authorization. Further, the author considers it already a bad sign if one is using a model of trust that divorces the digital world or communication concept of "process trust" from the emotional, personal or 3D world concept of "social trust". Instead of a "feature" of such a model, it is a bug.
In fact, the social and communication aspects of trust must be well integrated if a socially useful communication protocol is to be defined. This will also be very important for the next intermingling of cyberspace with our 3D-world, as discussed in A.4.7. As commented before, one must recognize A_4_10that unless one arrives at a real-word or social model of trust to be used in the electronic world, no logically useful communication trust model can be set forth.
This idea is not entirely new. Besides Shannon, who used it successfully 50 years ago when modeling information, Phill Hallam-Baker declared the following in Nov/94:
This can allow us to cross over different trust domains, so that a unique model of trust can represent "social trust" (i.e., 3D world, emotional, personal) when applied to a communication process (i.e., digital world) as well as represent "process trust" (i.e., digital or technical trust) when applied to a social situation.
In law, the designation "reasonable man" is a legal standard and applies
to the understanding that a judge must develop for a
jury in its decisions-- i.e., a "trust model", as the concept is defined in this work. For example, if a judge trusts that a "reasonable man" would have no doubt on the issues of fact involved, he may send the case for summary judgment.
A "reasonable man" is also a metric for the "reasonable reliance" trust model that a judge or jury can apply by themselves to a case.
I note that "reasonable reliance" is a legal objective trust model which
is being increasingly abandoned in favor of "justified
reliance" -- a legal subjective trust model. This can be explained by the technical arguments outlined in this paper, to the extent that a person always bases its acts on subjective trust -- besides the legal arguments.
Of course, technical arguments have a broad worldwide application whereas legal arguments depend on country, state and even time. However, legal arguments are interesting also -- as arguments cannot be played in isolation. I quote some of the legal arguments and case law history from a decision by the SUPREME COURT OF THE UNITED STATES, where Mr. Justice Souter delivered the opinion of the Court in case No. 94-967 of WILLIAM FIELD and NORINNE FIELD, PETITIONERS v. PHILIP W. MANS, on November 28, 1995 [SCUS]:
Clearly, we would not (as cited above) use the words: assumption, knowledge, belief or information.
As to the word trust itself, it was chosen exactly on semantic grounds for the English language. Linguistically, "Trust" is akin to "true" and "faithful", with a usual first dictionary meaning of "1 a : assured reliance on the character, ability, strength, or truth of someone or something; b : one in which confidence is placed."
So, in common English usage trust is what you place your confidence in or, expect to be truthful -- that which you can rely upon. Of course, this is a subjective metric since what a reasonable man may need to consider in order to rely upon something is quite different than what a naive truster may require. Perhaps, a naive truster will only require an indication as a reason for reliance, and perhaps also a reasonable man might do the same if what is at stake has a low value.
Thus, the explicit and abstract definitions of "trust" given here -- albeit technically directed to the terminology of Information Theory -- have a strong resemblance to everyday use, also when trust simply means reliance on an indication.
It is also important to realize the subjectiveness of the definition.
Who defines what is "essential" in the formal abstract definition, or "high-reliance"
in the explicit definitions? Who defines what is true?The truster.
The truster defines the metric used to justify what it can rely upon and
what it considers to be true. Which can be subjective, intersubjective,
objective or a mixture of such types -- as we can see in the real-world.
3. Trust Propositions, Matters of x and Metric-Functions
However, the question is: what is "x"?
First, "x" is a scalar, a trust-point. They represent behaviors which are either known or can be predicted with quasi-zero variance. This is not to be interpreted as saying that there is no room for "maybes" or even unpredictability regarding the outcome of x, of course. The point here is that while the expression "B trusts C on matters of x" means "B knows that C is predictable with quasi-zero variance on matters of x" -- and therefore B expects no surprises on such "matters of x" -- here is a short list of what "matters of x" can be:
In each of these examples, I observe that we have actually defined an equivalence class for matters that represent the "same" behavior "x" -- the same trust-point in its interactions.
But, what is "same"? Indeed, if we want to model trust, risk, certification, privacy or even the security of cryptographic protocols, one of the first questions we must ask is:
Further, we need such notion of "distance" to satisfy some requirements:
(i) the distance must be the same if I just exchange the two quantities,
so that distance "looking into" one must be the same as
"looking into" the other.
(ii) the distance must be invariant under some class of transformations,
so that I can change reference frames under that
class of transformations and still meaningfully refer to that same "distance".
(iii) the distance must correspond to a meaningful reference that I can express, order and compare -- e.g., a number (even in cardinal form -- i.e. as a measure over set equivalence).
(iv) if the distance is zero I would like the quantities to be considered "equal".
(v) Conversely, if two quantities are "equal" I would like their "distance" to be zero.
(vi) If I have three quantities which are distinguishable from each other then I would like to define the notion that a direct path between two quantities is shorter or equal than an indirect path that also includes the third quantity -- like a triangle.
Now, I note that the notion of "equality" expressed above is not simply that given by the "=" sign, but rather contains the idea of "equivalence" -- for example, 2 and 4 are equivalently even numbers, though one cannot say that "2=4". This is also often (and I will follow such usage) expressed as indistinguishability -- 2 and 4 are even numbers and are indistinguishable from one another in regard to being an even number, i.e., they cannot be distinguished from one another in that aspect.
In looking thus to a general framework to express how "close" or how "far" quantities are -- in other words, how distinguishable they are -- we realize that we have just stumbled into metric functions!
Indeed, a metric function d(x,y) is a positive-definite function (i.e., d(x,y) >= 0) that needs to satisfy four properties, which contain our "wish list" above:
How is that applied to "matters of x" and why is it useful?
Because "matters of x" defines what is trusted by the entity, one can thing of "matters of x" as a function of two arguments: the first one is x (trusted) and the second is any input y (to be tested). The output of the function indicates whether y is trusted or not:
matters-of(x,y) = 0 if trusted, a "number" > 0 otherwise.
It is easy to show that matters-of(x,y) can be defined so as to satisfy all 4 properties of a metric function.
Now, if matters-of(x,y) is zero, we can say that x is indistinguishable from y -- i.e., they are "equal" in regard to trust. So, matters of x allows us to define how "close" or how "far" some input is from being trusted -- and can even provide us *paths* to move in "closer to trust".
This is already very useful because we can represent all the various degrees of "quasi-trust" that we also follow in our reasoning -- but now in software.
However there is more, in two basic results from mathematics.
The first one is that metric functions are rather easy to find, and we are free to define whatever suits us and the modeling we have. For example, we can use the notion of probability of error, Shannon mutual information, Kolmogorov complexity, Bhattacharyya coefficient, least square error, etc.
The second one is that if we formulate these concepts into metric functions that obey the 4 properties, then it is irrelevant which one we use. It is largely a matter or convenience.
Of course, there is much more to be said about the (in)distinguishability problem and the use of metric functions, specially in potential uses of this theory of trust. But the above comments may already show the general principles involved, their usefulness and relative easy-of-use -- besides the extreme flexibility they provide.
The structure of x, while a scalar, is that of an operator that represents a process (see the specific definition of process in [Ger97]. This operator can be shown to obey the properties of a quotient ring in Mathematics, also called a skew-field. Which allows the trust-points "x" to be used as "elementary units" to construct multivectors in Grassmann's Algebra, allowing very complex m-ary trust relationships to be represented and affording an intuitive geometric vision. See the mcg-talk postings on such subject.
The concept of "proper trust" can then be mathematically defined as satisfactorily as the concept of "proper keys", by allowing trust and keys to be fully described by convenient metric functions in a coordinate-invariant formulation of certificates within a seven-dimensional metric-space . As a general result, certification in communication processes is shown to be mathematically equivalent  to the geometric problem of distance measurement in a metric-space -- as can be intuitively motivated by observing how key-distribution  works.
For two parties in a dialogue, all possible certification procedures are then classified in only two models: extrinsic and intrinsic, with a combined mode [Ger97]. All known security designs correspond to the extrinsic model -- which depends on references that are extrinsic to the current dialogue, with certification relative to a third-party or past events. The intrinsic model is a new security design -- which depends on references that are intrinsic to the current dialogue, with certification obtained by measurements that rely upon intrinsic proofs.
4. Internet Names, TSK/P, Uniqueness, Reference and Sense, Metrics, Biometrics, Bio-implants, Examples, etc.
The above discussion on trust can be used to investigate several timely questions. Questions 1 and 2 are common Internet discussion items, nowadays answered in the affirmative. Questions 3, 4,5 and 6 were supplied by Nicholas Bohm. Questions 7, 8 and 9 were supplied by a MCG participant. Questions 10 and 11 were asked by Phill Hallam-Baker in the SPKI list.
No one needs a unique name over the Internet, nor a unique e-mail address, nor even a un-ambiguous name in order to be uniquely identified. Neither globally nor locally. Everyone can use their own common names if they so wish, or any pseudonym they desire. This note shows that this is not an issue for identification or security -- while it is a recurring subject, an Internet myth. An equivocated security dogma.
Logical semantics, albeit not very well-known, was pioneered by Frege (see item A.4.3) and recognizes that a common name has two quite independent components: reference (i.e., the symbol itself, the byte string) and sense (i.e., the symbol's meaning), where the name's reference is its syntactic value and the name's sense is its semantic value. In other words, a name is viewed as a logical proposition which has two independent attributes, the name's sense representing the name's truth conditions and the name's reference representing the name's truth values. Thus, the semantic theory advanced by Frege shows that an unlimited number of entities can share the same reference (i.e., the same syntactic expression, such as "John Smith") and yet each one can be uniquely identified by their sense (i.e., each referent can be uniquely reached if and only each referent has a unique sense).
In other words, the apparently "intuitive" referential theory of meaning is wrong (see item A.4.3) and meaning can never be derived from references, no matter how many -- it is impossible to derive meaning from name. So, any person can choose at will any symbol to be represented by -- and, per se, none will be better or worse for identifying the person than any other ... in fact, they will be all equally meaningless.
If all the people named "John Smith" could choose whatever symbol they would want (ASCII, own photo, dog's photo, etc.) to be one of their "names" in a certificate, what do you think they would choose:
(a) John Smith
(b) something useful and unique as decided by them
(c) John Smith plus something useful and unique as decided by them
(d) something utterly unrelated to anything that John Smith may be, know, possess or live nearby
What would be your answer?
My answer, in the case of the proposed method, is that it could be whatever John desires: (a), (b), (c), (d) or even all of the above at the same time. And security would not suffer, neither regarding John's interests nor regarding a third party's interests.
To show how that is possible, one first needs two Lemmas:
- Lemma 1: item A.4.3 proves that certificates can fully carry references, but not sense -- not even partially and however minute. While this provides an irrefutable mathematical reason for the total uselessness of certificates to convey sense, it also shows that certificates can wholly contain the name's reference -- securely and as detailed as needed.
- Lemma 2: item A.4.3 proves further that the link between reference and sense is provided by "proper trust", an essential mathematical property in communication systems (as defined by the author in Information Theory terms).
Thus, as mathematically proved by the two Lemmas above (even though already intuitively felt by many), a certificate is only meaningful (i.e., has meaning or, sense) when there is some degree of trust associated with its signature and, each one of the certificate's data is meaningful inasmuch as it is atomically trusted to some extent. Which points out the key role played by trust in certification, in spite of the rhetoric being usually centered on the syntactic aspects of its encoding, cryptography and name schemes.
So, an entity's name can be ambiguous while the sense is not. References can be wholly and securely transported by cryptographic certificates. However, any reference, including what may be referenced in the certificate's legal "four corners", cannot be linked to sense unless one uses "proper trust". However, how can that be deemed useful, when contacting different referents that have the same reference?
This question leads to the essential role played by crypto in TSK/P to provide for reliable communications, which is not only a basis for certification but is also needed for encryption/decryption.
The final step is simple. Clearly, one hundred people could share exactly the same name and e-mail address and yet each could receive and send unique and private messages by using different crypto keys.
So, the bottom line is: with TSK/P, each person is free to improve upon his own visibility or ... switch on an invisibility cloak. The TSK/P method allows any user to control the syntax of his own names. Which is valid for any "symbol" or "name" such as common names, e-mail address, DNS addresses, keys, key-hashes, etc. -- without any adverse effect on security in regard to a third-party but with several beneficial effects regarding one's own security and privacy.
Thus, contrary to widespread belief, there is no reason to demand unique common names or addresses in order to afford identification or Internet security, because names do not identify. The world can continue to use its historical practices. Clearly, if something or someone has a globally unique name then, that is advantageous just like a globally trademarked name is useful -- by providing zero collisions. But, as above, any number of name collisions can be handled by proper semantics, proper trust and proper cryptography.
This is a very important point. The security of TSK/P is semantic -- which presupposes that its three parts must work in cooperation: "proper semantics", "proper trust" and "proper keys"-- and not just one part (e.g. keys or unique common names) or even two parts (e.g., trusted keys, trusted common names). A TSK/P user should be able to detect a key-collision (e.g., duplicated by mistake or crime) by using that key together with "proper semantics" and "proper trust" -- as long as properly allowed by the protocol (see item A.4.6 ), of course. A more subtle problem is that of avoiding eavesdropping, e.g. which may occur after an unnoticed security breach that compromises one's private-key. This question should be solved also by a combination of the three components of TSK/P -- for example, by periodically renewing proper trust and keys as a function of cost and risk. Thus, the TSK/P method does not treat keys as the one and only security barrier, neither assumes keys to be unique and valid a priori. In fact, since the method is based on an interplay between <semantics, trust, keys, pragmatics>, key uniqueness must also be subject to the method's proofs and management.
There are other benefits to this approach, not the least being the "household effect" -- where crypto can become a household word and thus deserving to be widely accepted without the psychological blocks that derive from its historical use by criminals, spies, and other despicable abuses.
As an example of technology's reach by the household effect, not long ago possession of a simple radio receiver had to be registered with proper authorities in some countries and possession of even weak radio transmitters demanded a license -- possession of a transmitter was viewed with suspicion, criminalized. But with transistors it became evident that any $5.00 could allow one to make either a receiver or a transmitter, which lead the way to its present better and un-criminal status. The same can happen with crypto, as it can cost less than $5.00 and can be as essential to day to day life.
It depends on the technical community to show that to the general public, communication companies, e-businesses, and governments. Crypto is in everyone's best interest and, when linked with "proper trust", can completely solve the current name and address ambiguity that plagues the Internet and e-business, while providing both an irrefutable reason and a good argument to restore privacy to one's private communications.
To those that may argue that "proper trust" is not so easy to grasp and is a weak point, it is easy to point out that this is not a feature of the method, but a feature of sense. Sense cannot be transported in certificates, even if the certificate includes a thousand references and even if you have a thousand certificates, all from different issuers. The paper provides a full mathematically rigorous discussion of why the referential theory of meaning fails, as initially proved by Frege, and why certificates can just transport references, never sense. Thus, certificates have no meaning per se -- even with so-called unique names, notwithstanding the names being local or global. And, clearly, when we consider the names we have in the 3D-world (i.e., common names) as compared to the ones we have in the cyber-world (i.e., keys, e-mail addresses, etc.) then we notice that the link between sense and reference is missing in both worlds -- not just in the cyber-world as often expressed.
The initial question is not whether common names or keys are temporary. Nor whether they are equivalent because they are temporary. But, what are their time scales. The Earth is temporary ... but that does not bother us at all because we live on a different time scale. Keys live on the time scale of weeks and even days or hours or minutes -- while common names last more than a lifetime (as testaments show), can be back-traced and remain legally valid even if legally changed and can be useful for centuries. Thus, key-hashes (or, keys) and common names are not similar regarding their lifetimes.
But, there are further reasons to consider common names and key-hashes (or keys) as different concepts altogether and, thus, not interchangeable.
Common names are traceable for generations (even first names and whole names, as families usually repeat first names, add I, II, III, etc.) so names have a tendency of being somewhat better if repeated, whereas hashes and keys are very ephemeral and we certainly do not expect them to be better if repeated. Thus, a repeated common name gives confidence (i.e., conveys trust) over time but a repeated key or key-hash immediately flags rejection after some time.
Further, reliance on a cert should increase if the cert contains a common name that is old (i.e., known beforehand) to you and that you can independently contact and thereby confirm the cert. However, reliance on the cert's validity must decrease with time, as discussed already. Besides, common names carry an inherent legal value which is essential in some cases -- such as in credit-card transactions, wills, etc. -- whereas keys or key-hashes do not represent any inherent legal capacity of their beholder.
Another point, and using the influential work of Leshniewski (ibid.), is that common names can be seen as members of a collective class while keys and key-hashes can be seen as members of a distributive class:
Thus, keys or key-hashes cannot be considered at par with common names
or in lieu of them -- they are objects, but of a different sort. They have
different communication purposes, different lifetimes, different trust
conditions and they belong to different logical classes.
To investigate it, suppose we express the general concept of a name, as a sign or a symbol -- e.g., my name is a symbol for myself. Then, for example, if you see footsteps on the sand (i.e., a symbol, a name) then you generally rely on the existence of someone that walked by (which is the meaning or cause of the footsteps), or, if you see smoke (i.e., a symbol, a name) you rely on the existence of fire, and so on. Or, as in the above question, you expect to find a particular mind or particular assets that have a causal relationship to the name and which provides meaning to your communication.
However, this model breaks down as I exemplify later on and Frege  has shown around 1910 in Germany. He began his reasoning by asking the simple question: "why is it that a=b is informative whereas a=a is a truth of logic and can be known a priori?"
Frege's solution was the distinction between sense (Sinn) and reference (Bedeutung), The names "a" and "b" above have the same reference "a" but differ in sense. Paraphrasing one of Frege's examples, if I tell you "I will photograph the Morning Star" or if I tell you "I will photograph the Evening Star" then, clearly, the two phrases have the same reference (i.e., the planet Venus) but one describes it as the last celestial body to disappear at dawn and the other as the first one to appear at dusk -- thus, they have different senses or meanings.
In general, these concepts are defined in an interdisciplinary area pioneered by Frege and which exists between philosophy, logic, mathematics and linguistics -- which is usually called either semiotics or semantics. The main definitions we need here are:
Applying this to certification and using Shannon's concepts from 1948, I point out that the difference between "a=b" and "a=a" is simply that the first represents a transfer in a communication channel that links past to present, whereas the second represents zero transfer. Since information is what is transferred from source to destination (i.e., information is what you do not expect) then the first statement is informational and the second statement is clearly always expected. But Frege did not know this in 1910.
However, if we ask the question: "what is a name in a digital certificate?" then we can see that the name is a reference (i.e., Frege's Bedeutung) which can be wholly contained in the certificate even down to any desired minute data in any language or form ... and thus wholly transferred in the cert -- which corresponds to "a=b" and the cert is informational regarding such reference. However, the name's sense (i.e., Frege's Sinn or meaning) cannot be contained in the certificate at all and cannot thus be transferred. If it could, then the cert would be self-referential to that referent, which is not informational and represents "a=a" -- "I am myself". Thus, sense cannot even be partially contained in a cert, otherwise that part would provide a self-reference to some part of the referent.
Which points out the futility of trying to devise name schemes however clever, with biometrics, bio-implants, GPS satellite-data and so on -- which would try to allow a name's sense to be contained in a certificate. Further, it is neither possible to transfer the sense of a globally unique name (e.g., X.500) nor the sense of a local name (e.g., PGP, etc.) -- because the problem is not the name being local or global, but the lack of capacity to transfer sense in general.
The same reasoning can be applied to keys or any other symbol which may be contained in a certificate. One can never, even partially, transfer sense (i.e., meaning) in a certificate but one may wholly transfer references.
Thus, we must recognize that certificates can contain reference information in varying degrees of completeness, but not at all the corresponding sense information that can allow such references to be meaningful -- hence, which would be essential to the receiving party if some degree of reliance is to be placed on the usage of the transferred references. There is a missing essential connection between sense and reference.
However, since certificates represent a communication channel between entities, past and future, it can be recognized that the missing connection between sense and reference can then be provided by "that which is essential to the communication channel but which cannot be transferred through that channel" -- as trust is defined (both in the context of social trust as well as process trust) and hereafter understood to be qualified as "proper trust".
Further, proper trust (process or social) allows one to inverse the process and use the references transferred in the cert in order to reach back to sense -- thus making the received data not only cryptographically secure but also meaningful.
Moreover, I can perhaps say that the sense of a complete certificate is the proposition or "thought" expressed by it -- paraphrasing Frege -- where "thought" is not something private or psychological, but essentially communicable and which must include sense and reference.
As in  :
To practically illustrate these concepts, the reader may read the former paragraph in its various possible meaning combinations (as given inside the parentheses), forming different phrases which will need to be seen as a whole in order to convey the intended "thought" -- which could not be possibly done in just one modal form with a singular choice for each possible set of references. For example, a few derived phrases are:
The protocol issue is also important because a protocol can be seen as a means of expression -- a language. Which includes syntatics and semantics, but for complex expressions and not just for atomic names. Thus, both the protocol's syntatics and semantics must be expressive enough -- i.e., must allow all possible variations and needs of sense and reference in a fair and secure way. The certificate itself, as a complex object formed by various names, can be seen both as a result of and as an input to the protocol, i.e., as being expressible and intelligible in that language. This connects directly with the question above because one must be very careful as to what the protocol biases or limitations might be -- as expressed in the protocol language. For example, if we invent a language where one can count only until 5 and thereafter it is just indicated as "many" (e.g., as in some tribes) then, clearly, some actions might not be auditable at all in that language.
This can take us to consider "effectiveness" in contrast to "correctness" (IPSEC) under a new light: trust and semantic effectiveness must be taken as first design considerations and not added on, as a modulation on a carrier. They make up the vehicle for information -- the carrier itself. They are not the final spices in a recipe. They are the assumptions.
But, some may ask, how can we objectively deal with something we can't completely measure?
In the same way that we deal with fingerprints, voice recognition, noise cancellation, and control in general. It can be argued that we can never precisely measure any control variable because not only the act of measuring itself interferes with it but also because of the finite time that must pass between measurement and the actual use of such measurement.
In that case, while some may wonder what would be the BEST token (e.g., biometrics, smart-cards, PINs, challenge-response queries, etc.) to be used for certification, we need to understand BEST as "By-Example Some Token" -- and not that any token is more significant than any other by itself. It all depends:
The solution to the points mentioned in the original question is thus to recognize that while one needs reference and sense in order to communicate one's thoughts -- names and certificates can only convey reference. Thus, sense must come from another channel, which can be a tertiary channel such as a CA or a binary channel such as to be provided by the MCS.
The main points are:
This further shows the irrelevance of the present discussions on how
to guarantee unique names, whether global names are needed or desirable
vis-a-vis privacy concerns or, if local names are better or worse than
The news is old: cyber-world and 3D-world will just converge -- as everything else!
The author's opinion is that success in cyber-space, either as a user or as a developer, will depend on our success to re-use and re-cycle what we have already done -- and when that is not possible, then by shamelessly mimicking what we already know.
And, this is easy to see.
In the cyber-world, sense is linked to reference by process trust. In the 3D-world, sense is linked to reference by social trust. . Thus, in the cyber-world, transactions are based on your reliance on three quantities and their metric relationships:
In other words, it is not so important if the credentials are social (i.e., reliable person to person contact, based on secure genetics such as physical appearance, voice intonation, etc.) or process (i.e., reliable entity to entity contact, based on secure crypto keys, unforgeable certs, etc.) in their origin. Far more important is if you can trust those "secure keys" and (often forgotten) if you can trust that entity for the purpose you have in mind (e.g., business). The entity may even be a machine or a pool of machines, a person or a pool of persons, for all you need to care.
This is what is meant by the perspective of both worlds intermingling. It is perhaps not far fetched to imagine that this is similar to the intermingling seen between the different worlds exemplified in a lawyer's office, where trainees answer letters and lawyers sign them -- and where clients trust such letters from "their" lawyer.
The main point is that as cyber and 3D worlds converge -- the differences will decrease... not increase.. which will make it easier just to mimic what we already have, as much as possible.
And, what do we see on the 3D world? Do we see one giant ID? No, we see several specific IDs, from county libraries to passports, several credit-cards, several phone cards, etc. -- all locally issued. And, there is good reason for it, privacy being not the most important for most cases -- but sheer need. That is why centralized certificate issuance (i.e., CAs) and centralized data control (i.e., hierarchical PKIs) run counter to our experience of what works. That is also why it is more intuitive to think that certificates are trusted because they certify (the subjective stance) and not that certificates certify because they are trusted (the objective stance, wrong).
Of course, any transition is difficult, painful. Indeed, this seems to be much more than just a question of investment strategy. However, the evolution of law and process will, perhaps, be swamped by the evolution of need.
Semantic security (i.e., meaning assurance) will perhaps take the heaviest blows in this transition to a global cyber-life -- as different parochial needs start crying for solutions. However, if we allow semantic security to decrease, no amount of syntactic security (e.g., certification) will do.
Which is why one may think that <process trust, social trust> will become increasingly important -- because they provide for meaning. Not only which certified key you have but ... what does it mean? Not only if the certificate is valid but if it has data which you can rely upon for some purpose you want.
Further, the author takes the stance that as the Internet experiences increasing media and protocol convergence -- people and machines will suffer massive security risks!
What was safe in separated and sanitized environments, will become security risks when they are not separated anymore. The number of interfaces will increase, so that different systems that were never thought to be in communication will be. A hacker in Israel will find himself a way to a US Pentagon computer -- which was otherwise safe inside the Pentagon. Your files in your "trusted" computer will be suddenly snatched and sold for money, to information harvesters.
Thus, certificates, for person and machines, will be needed for a great number of deals. Your data will have to be at least origin authenticated, not to say about data integrity authentication and encryption -- for several things worth doing. The level of indirection will not decrease and semantic addressing with encryption can also provide a solution to ambiguous addresses and names (see A.4.1).
Bottom line: yes, more certificates, more issuers, more subjects!
Certification needs will escalate and current systems cannot provide an
Anything can be characterized by the distinction between sense and reference,
not just names and metric functions. Specially interesting for the Internet
are signatures, keys, authorizations and methods (i.e., algorithms and
protocols) in general. So, it is important to discuss the sense of an authorization
for example, and not just its reference as expressed in a certificate.
Regarding the TSK/P process (see item A.4.1), for Internet communication irrespective of ambiguous names and addresses, one can summarize the main issues in a few points:
Let's see 3 cases of it, each one chosen so as to try to illustrate an important aspect of such truth:
Consider a communication channel that needs as an essential part of it a property X  which cannot be transferred through it and which includes your modem. Then the definition applies equally well to your modem and your modem has trust -- i.e., you are using your "trusted modem with property X" . What "trusted modem with property X" means? It means that for information transfer, the other party and/or you will need out-of-band information on property X of your modem for some essential property, as evaluated according to him and/or you.
Note: it's important to see that trust is always relative to the observer. So, if you use a trusted modem then it means that it may be trusted to you and/or to the receiving party, with possibly different connotations. In other words: who is to decide "what is essential to a communication channel but which cannot be transferred from a source to a destination using that channel"? -- the observer, which can be the source and/or the recipient.
 X: your modem and its properties, which can be anything that cannot
be transferred using that channel and that is essential to it as
judged by any or all of the parties (source and/or recipient), such as:
the guarantee that your modem itself was used (not Peter William's for
guaranteed noise limit levels of your modem, etc.
 i.e., your modem that has property X, in that channel, according to the source and/or the recipient.
Now, if your communication channel (we have to be a bit flexible here as to what one considers communication -- after all, neither Shannon nor the author have limited communication to use only electrons as carriers, or photons, etc.) uses doves as carriers, then probably the modem will not be essential to that communication channel. However, suppose that the other party decides that the doves need your modem's nice heat in order to always be warm and ready to fly on demand to him, without delay, and that he cannot rely on anything else for that function but that modem for that channel. In that case, he can also call your modem his "trusted modem with property X" , where now X is defined by .
 X: your modem that can reliably -- as judged by the recipient -- keep the doves warm and ready to fly on demand, without delay, at the source, for that channel.
Note: the example above was important also in that it highlighted the
observer's role on trust: the recipient needed trust on your modem -- not
Now consider the case that you need to communicate with a recipient in the next building which happens to have a window that is 2 meters (7 feet) distant from your window. Suppose next that your only means of communication is to write your message on your modem and toss it over to the other side. Now, even though your modem is an essential part of that communication channel (unfortunately, you may say -- but this is just a Gedankenexperiment) it can (indeed, it must) nonetheless be transferred from source to destination using that channel. So, your modem needs zero trust regarding that channel -- i.e., no trust is needed for your modem.
NOTE 1: This case is important not only for the fun of it (after all, the modem is not the author's...) but because it includes an example where no trust is needed. What does "your modem needs zero trust regarding that channel" mean? Here, it means that when the modem arrives at the destination then the recipient can rely 100% upon its arrival and does not need any other channel to tell him that the modem has arrived.
NOTE 2: "Needs zero trust" or "needs no trust" is not the same as "has no trust". To say that "channel A has no trust for property X" is the same as to say that "channel A does not transfer trust for property X" -- so, if you need trust on property X you can't use channel A alone. However, when channel A "needs zero trust for property X" it means that no other channel is needed in order to transfer property X, but channel A.
NOTE 3: There are two important facts here: (i) your modem is an objective
reality and its subjective values are not important and, (ii) your modem
had to be transferred. These facts eliminated all need for trust on your
modem, which perhaps further illustrates the definition of trust.
Trust being "that which is essential to a communication channel but which cannot be transferred from a source to a destination using that channel", then you must view the channel as a tool and first evaluate three things:
- what is your communication channel?
- what do you consider "essential" for that channel? This could be mathematically defined by you as an expression of the relative certainty desired for your specific security problem and application context, given all available knowledge you have of the operational vulnerabilities.
- what is essential for you and yet cannot be transferred using that channel?
So, suppose (respectively):
- you verify that the e-mail channel goes over a fiber optic direct cable two point link between your computer and the computer of the other person you never met before and that the person you never met before presents you a Verisign certificate class 1 which you always verify as valid in a 100% effective CRL list and successfully challenge every time you send e-mail, always using S/MIME encryption with RSA/TripleDES.
- you consider essential that the channel transfers private information, that is, information which cannot be eavesdropped within TripleDES limits. Who the other party actually is, or if it is only one party, or if it is a machine or person, is of no concern to you. Anyone that has the private-key associated with the certificate is the same for you.
Then, in this case, there is nothing you consider essential that is not being transferred.
To answer your question: for you, this channel needs zero trust for privacy. This is a good thing -- no surprises, as commented in the main section and above for CASE C. (note, again, that "needs zero trust" is not the same as "has no trust" or "has zero trust")
IMPORTANT: In this case you objectively know that the information you send in that channel is private within TripleDES limits, even in the case of a TEMPEST attack, so such trust does not need to be transferred to you out-of-band. In general, "If property X is essential to a channel, a party needs no trust for property X in that channel if and only if the party has self-trust on X".
In the above example, if you would consider that trust for that channel would be your recipient's DNA pattern, then you would not have trust on that channel even after ten years.
When you are exchanging e-mails you are using one communication channel. But you actually have more than one communication channel -- you also have memory channels, a memory being that special case of a channel in which the sender transmits signals to itself at a later point in time (such as a 10-year mailbox). Memory channels can be used to provide for "learning" capabilities in [Ger97], which is what I will use them here for.
Let us take the same case as above, but from the viewpoint of the other person. Suppose that the recipient considers "essential" that the party at the source writes and reads English with proficiency. Of course, this information cannot be transferred using that channel, because that channel transfers information and information in Information Theory has nothing to do with knowledge or meaning -- it needs trust.
This example is also interesting in that it shows that trust did not
exist in the beginning but could be built up using multiple channels.
[Ball84] Ball, J. "Memes as Replicators", Ethology and Sociobiology, vol. 5, p.159, 1984; [Bax98]
[Bax98] Baxter, R. website with a collection of quotations pertaining to Occam's Factor, Complexity, Simplicity, and Inference, at http://www.cs.monash.edu.au/~rohan/occam.html
[Che90] Cheeseman, P. "Finding the Most Probable Model", p.91, 1990; [Bax98]
[Har28] Hartley, R. V. L. "Transmission of Information", Bell Syst. Tech J., July 1928, p. 535.
[Nyq24] Nyquist, H. "Certain Factors Affecting Telegraph Speed", Bell Syst. Tech. J., April 1924, p. 324.
[Sha48] Shannon, C. A Mathematical Theory
of Communication. Bell Syst. Tech. J., vol. 27, pp. 379-423, July 1948.
See also http://cm.bell-labs.com/cm/ms/what/shannonday/paper.html for a WWW copy.
[Sha49] Shannon, C. Communication Theory
of Secrecy Systems. Bell Syst. Tech. J., vol. 28, pp. 656-715, 1949.
See also http://www3.edgenet.net/dcowley/docs.html for readable scanned images of the complete original paper.
[Szi29] Szilard, L. "Über die Entropieverminderung in einem thermodynamischen System bei Eingriffen intelligenter Wesen." Zeitschrift für Physik 53 (1929): 840-856. "On the Decrease of Entropy in a Thermodynamic System by the Intervention of Intelligent Beings." Translation in Behavioral Science 9 (1964): 301-310.
[Ger97] Gerck, E. Certification: Intrinsic, Extrinsic and Combined. MCG, http://mcwg.org/mcg-mirror/cie.htm 1997.
[Ger98a] Gerck, E. Generalized Certification Theory. Yet to be published. 1998.
[Ger98b] Gerck, E. "What is identification, that we can identify it?", MCG , http://mcwg.org/mcg-mirror/coherence.txt, 1998.
[Ger98c] Gerck, E. "What is identification, that we can identify it?, Part II", MCG , http://mcwg.org/mcg-mirror/coherence2.txt, 1998.
 Gerck, E. Trust Properties. MCG http://mcwg.org/mcg-mirror/trustprop.txt 1997.
 Gerck, E. Re: On the Nature of Trust. MCG (MCG-TALK/archives/mcg/date/article-334.html) 1997.
 Bohm, N. Authentication, Reliability and Risks. MCG http://mcwg.org/mcg-mirror/auth_b1.htm 1997.
 111229 Checking Validity. MCG http://mcwg.org/mcg-mirror/pub9x.txt 1997.
 Gerck, E., Overview of Certification Systems: X.509, CA, PGP and SKIP. MCG, http://mcwg.org/mcg-mirror/cert.htm 1997.
 reportedly, in http://www.cl.cam.ac.uk/Research/Security/Trust-Register/book.html
 www-security mailing list archive, Re: Syncytial trust? Sat, 12 Nov 94 03:31:06 -0500
 W. Carl, "Frege's Theory of Sense and Reference", ISBN 0-521-39135-0, Cambridge Press. More information at http://www.cup.org/Titles/39/0521391350.html
 Here, the metric relationships can provide for a partial-ordering of the sets, i.e., when you define an operation "=" (i.e., larger or equal) which is reflexive, anti-symmetric and transitive -- allowing one to quantitatively compare different truth conditions (i.e., sense) by ordering and comparing the values of their references, as both are linked by trust.
[S-F97] Kristin S. Shrader-Frechette, "Perceived Risks Versus Actual Risks: Managing Hazards Through Negotiation", in http://www.fplc.edu/RISK/vol1/fall/shraderF.htm
[McK96] McKnight, D. Harrison and Chervany, Norman L., "The Meanings of Trust", in http://www.misrc.umn.edu/wpaper/wp96-04.htm
[DS97] The objective here is not to apply
Dempster-Schafer Theory or the Dempster Rule, but, to point out that the
degree of belief is in general similar to the DS Theory. For a review of concepts and difficulties with DS Theory, see
[SCUS] available at http://supct.law.cornell.edu/supct/html/94-967.ZO.html
[Tar44] Alfred Tarski, "The Semantic Conception of Truth and the Foundations of Semantics", Phil. and Phenom. Res., vol. 4, 1944, pp. 341-376.
[Mein98] Meinrath, P.J. personal communication to the author, based on the study of original historical documents.
[Wal91] Walley, P. "Statistical Reasoning with Imprecise Probabilities". Chapman and Hall, 1991. See also the webpage maintained by Russel Almond, in http://bayes.stat.washington.edu/almond/gb/bel.html, with the original definitions.
[Wan93] Wang, P. " Belief Revision in Probability Theory", in Technical Report No. 74 of CRCC. A revised version appears in Proceedings of the Ninth Conference of Uncertainty in Artificial Intelligence , 519-526. Eds. David Heckerman and Abe Mamdani. (San Mateo, CA: Morgan Kaufmann), 1993. A PostScript file of the paper is available at http://www.cogsci.indiana.edu/farg/peiwang/papers.html