Posted 5:55 PM (0) comments

Precognition?

Jamie Lewis has now posted the third part in his "thinking out loud about trust" series (although it's named Part II) where, to my mind, he goes well off the path into the heavy growth under the trees.

He suggests, first, that personal trust "is an instinct." Because sometimes we hit it off with someone right away and sometimes we get bad vibes and avoid the person. But I'll hold that this is all based on our experience with people like the stranger we are confronted with. People who resemble people we trust - in looks, dress, speech, mannerisms, etc. - we naturally want to trust. This is a major part of the con man's shtick - getting you to trust him. The judgment may be part of our subconscious, but it isn't "instinctive" else newborns might behave differently.

Jamie goes on to pick up the term "recognition" (suggested by both Phil Windley and Kim Cameron). The way Lewis defines the term is fine, but the word "recognition" itself comes with a lot of connotative baggage. The dictionary gives us six definitions, but only the first three are relevant here:

1. The act of recognizing or condition of being recognized.
2. An awareness that something perceived has been perceived before.
3. An acceptance as true or valid, as of a claim: a recognition of their civil rights.

It's only the third which talks about truth or validity. Otherwise, recognition is value neutral - we can recognize someone we trust, or we can recognize someone we mistrust. One of these most likely occurs in the "instinct" issue I mention above. Of course, it may not be the particular unique person we recognize but the persona we grant them based on past experience and which allows us to judge their trustworthiness (frequently incorrectly!).

I still believe that "reliance", and the degree of reliance, is a better term for what we are groping towards when discussing trust in an IdM context.

Posted 11:24 AM (0) comments

A trisk-et (a trasket?)

Jamie Lewis decided that 2 parts for his Thinking Out Loud About Trust wasn't enough, so he posted Part Ia. He objected to the word "trisk" I suggested as a replacement for trust, but I don't mind. I also prefer the concept of "reliance" for these situations. The example he quotes from Phil Windley (a clerk taking a credit card) is a very good indicator of how to use reliance for confirming identity.

In reality this is analogous to the situation with "trusting" the advice (or knowledge) of a friend or acquaintance (or a stranger). You evaluate the person's experience with you, knowledge of the topic and risk of deliberate misinformation and decide how much reliance to place in the information. It might be a useful exercise to attempt to diagram how a person determines reliability of another person then map that to machine-to-machine interactions.

Posted 9:19 AM (0) comments

Trust-busting

Jamie Lewis has returned to blogging (with a vengeance, some might say), and that's welcoming. Among his latest remarks is a piece on the nature of Trust as it applies to business relationships.

Many (and Jamie names a few) think "trust" is the wrong word for what is more in the nature of risk avoidance, but Lewis points out that the term "trust" is so intertwined with security (going back over 20 years) that attempting to re-define the term is probably more fruitful than trying to replace it. As he puts it: "In short, 'trust' serves as an all-too-convenient alias for a lot of hard problems. If we're trying to really define something new... then we should at least hang the old trust rug on a clothes line and beat the dust and dirt out of it."

Lewis introduces seven "building blocks" of trust:

existing business relationships
* legal agreements;
* cryptographic key management;
* assertions;
* shared policy;
* technical assurance;
* audit and accreditation.

These building blocks, he says, don't all have to be present in a transaction or relationship, but the more that are present (and the stronger they are) then the greater amount of "trust" can be said to exist.

What struck me is that a number of these building blocks are strikingly similar to how humans judge trust among friends and acquaintances. I will put a lot of trust in the assertions of someone with whom I have a long, close relationship, someone who shares my outlook (i.e., "policy"), and has a history of technical mastery of the subject of the assertion (e.g., I would trust Jamie in matters of Identity and Access Management, but not necessarily on humor and comedians).

The difference, to me, is that we trust (or not) other human beings. Trusting a corporation really means trusting those who run the organization - and they can change quickly. Thus the need for multi-ream legal agreements, CPU-gobbling audit applications and media-choking logging services.

One of Jamie's all-time heros is Johnny Carson, who got his start on network TV with the game show "Who Do You Trust" (originally called "Do You Trust Your Wife?"), which relied on the very issues I mention above (relationship, technical knowledge, shared outlook, etc.).

Security and IdM marketeers want to use the "trust" word because of the connotations from human relationships. Redefining the term for business use is, in my mind, futile - consumers don't look up the definition, they rely on (i.e., "trust") what they've always believed to be the definition. Given the somewhat murky differences between the building blocks of human trust and those of the business "trust", I think we need to drop the term completely and come up with something new. And not just "risk management", either. I'll propose "trisk" (trust + risk) as a possibility, with standards bodies setting "degrees of trisk" for transactions and relationships. But I'm open to other candidates.