Ben Laurie blathering

Trust is a Dirty Word

Pretty much every time someone starts talking about computer security they soon get around to talking about trust. But trust is such a bad way to describe what’s going on. Let’s look at a few examples…

  • PGP’s “web of trust”. This is such a stupid name – its not who I trust, its who I’ve verified the identity of. In the vast majority of cases its not even that – all that is required to get a signature is some photo ID. That’s right – your “trust” is worth a tenner. (Incidentally, if you see my signature on a key you can be sure it isn’t on the basis of photo ID).
  • The Trusted Computing Group. Unless you’ve been asleep at the wheel, you’ll know this has nothing whatsoever to do with trust. I particularly love this quote:

    TCG specifications will enable more secure computing environments without compromising functional integrity, privacy, or individual rights.

    Well, OK, they could be used that way. But will they be? Of course not: this is all about Disney owning your computer.

  • “Trust and Identity Management” – you can find this all over the place – for example, Cisco, Microsoft and The Liberty Alliance all talk about it (see Google for 15.7 million more links). But none of them are really interested in trust – they’re all selling access control.

Anyway, I could go on, but luckily I don’t have to. A friend pointed me to a rather good presentation on the subject by Deiter Gollman, which I mostly agree with.

1 Comment

  1. I agree wholeheartedly, but I think you’re being a tad unfair to Phil. His naming of the web of trust led to lots of discussion that then led to the understanding that we weren’t talking about trust, but something else. But I think this idea was far less obvious back then.

    Comment by Adam — 23 Nov 2005 @ 16:45

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress