On 2014-04-30, at 6:36 AM, ianG <[email protected]> wrote: > On 30/04/2014 02:57 am, Jeffrey Goldberg wrote: >> I have been using “trust” in a sort of behavioral way. For the sake of the >> next few sentences, I’m going to introduce some terrible terminology. >> “b-trust” >> is my “behavioral trust” which will defined in terms of “c-trust” >> (“cognitive”). >> >> So let’s say that A c-trusts B wrt to X when A is confident that B will act >> in >> way X. (Cut me some slack on “act”). A “b-trusts” B wrt to X when she behaves >> as if she c-trusts B wrt to X. >> >> So when I say that users trust their browsers to maintain a list of >> trustworthy >> CAs, I am speaking of “b-trust”. They may have no conscious idea or >> understanding what they are actually trusting or why it is (or isn’t) >> worthy of their trust. But they *behave* this way.
> Right, but this is very dangerous. You have migrated the meaning of X > in the conversation. > Users trust their browsers to do the right thing by security. > > Browsers trust their CAs to do the right thing by their ID verification. > > This does not mean that users trust their browsers to maintain a list of > trustworthy CAs. OK. So let me back peddle on “Ann trusts her browser to maintain a list of trustworthy CAs” and replace that with “Ann trusts her browser to do the right thing”. > Trusting the browsers to "do the right thing" also includes the > possibility that the browsers throw the lot out and start again. Or > drop some CAs from the list, which they only do with small weak players > that won't sue them. I am not saying that her trust is justified. > Also, one has to again refer to the nature of trust. It's a > choice-based decision. Trust is always founded on an ultimate choice. > > In this context, we would claim that users b-trust because they know > they can switch. With browsers they cannot switch. Their choice is to transmit private information using their browsers. Sure, you and I know that what protects most people from credit card fraud has nothing to do with browsers, and all has to do with regulations of the liability. But I’ve encountered plenty of people over the last few weeks who have said that they will stop using their credit cards on-line because of heartbleed, while they continue to use entirely unprotected email for things that are genuinely sensitive. Their choice is to not participate in e-commerce. > There isn't a > browser that will offer a different model (they cartelised in 1994, > basically). And there isn't a browser vendor that will take user input > on this question. Again, I’m not saying that the trust that the browser will do the right thing is justified. But the ordinary users isn’t going to curate their own list of CAs. Even the extraordinary user is only going to tinker with these under rare circumstances. (Indeed, a bug in Apple’s trust chain logic was only discovered when individual users chose to distrust DigiNotar and found that things didn’t work as documented.) > So there is no choice for the user. Again, people can chose to not participate in the system. It is a choice that has a high cost. But because the alternative to trusting the browser to do the right thing is costly, it means that people will lower their threshold. > Which is where it gets more dangerous: we can frame the question to > gain the answer we want; but who are we framing the result for ? All I’m asking is that we consider the people we are asking to “b-trust” the system. Can we build a system that is b-trustworthy for the mass of individuals who are not going to make c-trust judgements. >> I see that you’ve written on financial cryptography. Well think about >> conventional currency works. For all its problems currency works, and it is >> a system that requires “trust”. But only a negligible fraction of the people >> who successfully use the system do so through c-trust. > > Right. Now add in hyperinflation to the mix; how many people really > trust their governments to not hyperinflate? Only ones with no > collective history of it. Again, the point of that example was not to claim that people always put the appropriate amount of b-trust into a system, but simply that the on a day to day basis we all behave “as if” we trust things in the c-trust sense without that understanding. Or are you saying that we should insist that everyone develop a full and proper understanding of the system before using it? I think we should recognize that the vast majority of humanity are not as intensely curious about the particular things that we in this discussion are curious about. I also think that they shouldn’t be excluded from secure communication because of that. > Right, we're certainly in the world we are in. However, the problem > with this particular world is that it uses a language that is > 'constructed' to appear to require this particular solution. In order > to find better solutions we have to unconstruct the constructions in the > language, so as to see what else is possible. I think that we have a higher chance of success if we use a language that can talk about agents who do not have a deep or accurate understanding of why a system is supposed to work. And so, I think that, with some refinement, my notion of b-trust is worthwhile. Cheers, -j _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
