Mark Wahl got me thinking last week, with his second post on trust and the mythology of PKI.
Often, when involved in discussions around online trust, I hear the sentiment “if only we could do it as well as they do in the real world”. When expressed, it is always greeted with nods of acceptance; as if we can all just move on to saving some other part of the little ‘ol world if we could just hit such a milestone as emulating real world trust.
But what of the real world, this supposed Elysium of trust bliss? Nobody assumes that cash can’t still be counterfeited. Nobody assumes that passports and drivers licenses and birth certificates can’t be obtained fraudulently. Nobody thinks that elections can’t be rigged. People get away with all sorts of crimes in the real world, by successfully creating trust relationships that are then abused. We certainly haven’t been able to abandon a vigilant stance in the real world, and I don’t suppose we ever will. So what is it that evokes such reverence in the techie world for real world trust?
Let’s take an example from Mark Wahl’s post. I’m not sure he meant to contrast the two in exactly the way that I’m about to contrast them – but nevertheless, let’s compare the “Trusted Root authority” list on the Windows platform, to the “Trusted Adult” list that Mark pointed to in his post (I’m not sure if this list was taken verbatim from the Netsmartz site, or whether Mark paraphrased – I was unable to see such a list on the Netsmartz site, but I may have simply overlooked it).
As a very simplistic definition, the ‘Trusted Root Authority’ list contains a list of entities that may issue certificates which, when successfully validated by the browser, will result in a “closed lock” icon such as this: . Non-validating certificates, on the other hand, will be flagged for attention by the user.
The theory is that while you can’t necessarily count on those certificates to be used in good faith, you should be able to count on the certificates being issued in good faith — and that introduces some level of accountability into the whole affair. There is one extra level of assurance in a certificate that chains to a member of the ‘Trusted Root Authority’ list.
This is a similar concept to many of the members of the ‘Trusted Adult’ list that Mark Wahl talks about. By the documented definition a ‘Trusted Adult’ can be
- family members,
- family friends,
- clergy members,
- youth leaders,
- and law-enforcement officers.
Obviously, proof of list membership shouldn’t be sufficient assurance to place trust in all cases, just as a little closed lock icon with a blue background shouldn’t be sufficient assurance, a point that Mark makes in his post. When someone displays a police shield, they are evoking a chained certification – but the fact that the person has been issued a badge does not mean that they aren’t a criminal, it only means that in committing a crime they are, in addition to breaking the law, also breaking an agreement that they had with the certifying authority. Possession of a badge gives some amount of assurance to citizens who must decide whether to comply with orders from an individual based on the strength of the backing authority that the person represents, combined with a risk assessment as to what due diligence was done by the certifying authority to ensure that the extra assurance is properly placed. The badge also provides accountability, in case the individual acts in a manner not in accordance with their authoritative position.
Seems to me that the lists have a lot in common.
With regard to the online list, Mark says:
A further danger is that the level of trust provided by path validation will be conflated in a user’s mind with trust of identity providers, and in the future, with the trust of identities issued by that identity provider.
This exact thing happens all the time in the real world. You place initial trust in a cop because you trust the agency he/she represents. You place initial trust in a priest because you trust the agency he/she represents. You place initial trust in a teacher because of the agency he/she represents. But the ‘Trusted Adult’ list cannot be the only metric you use, because these positions have been abused, and because sometimes bad people gain positions of authority. That is life, in the real world and online. Any trust list can only be the first step in a cautious ritual that only the person living it can undergo.
No matter how perfect the system might get, people will need to know how to keep themselves safe, and the more they know and understand the tools at their disposal to expose the bad guys of the world, the safer they can be. They have to be street-smart, discerning and skeptical. Trusting someone/thing after validating their credentials is not perfect, but it is still better than trusting them without validating their credentials. Trust is not simple, and vigilance is required no matter what – all you can do is use the tools at hand to filter out as many of the bad guys as you can. People who don’t understand or use the tools are more at risk.
For example – recently a 14-year-old girl endured 10 days in a hole suffering at the hands of a psycho because she didn’t or couldn’t discern that the hand-drawn police insignia on his shirt was not the real thing. Note that this crime occurred in spite of whatever measures might have been taken by the local police force to ensure that their credentials could not be counterfeited, stolen, or fraudulently obtained. I can see no way in which the police force could have prevented this poor assignment of trust. The psycho used the most grossly low-tech mockery of a credential to pose as a member of the ‘Trusted Adult’ list, but it worked – if only the girl had even superficially validated his credentials, she might have had a warning that something might be wrong. She needed to know what to do in such a case, and her lack of knowledge of the tools at her disposal cost her terribly. The only way to prevent these kinds of attacks is to raise awareness and improve the sophistication of the general populace.
My point here is that we on the technology side can’t do everything. We can only make things harder in the cases where a sophisticated attacker tries to remove the warning signs that a savvy user might recognize. No matter how good our technology gets, poorly educated users will still be at risk. We need to help them understand who to trust, in real life and online, because at the end of it all, whether we are trusting an internet banking website or a chat room pal or a man with a shiny brass badge, we are making a personal choice that has risk attached to it, and nobody can make all of the risk go away… Trust is not a destination, it is an ever-changing journey. In the real world and everywhere else.