Mark Wahl got me thinking last week, with his second post on trust and the mythology of PKI.
Often, when involved in discussions around online trust, I hear the sentiment “if only we could do it as well as they do in the real world”. When expressed, it is always greeted with nods of acceptance; as if we can all just move on to saving some other part of the little ‘ol world if we could just hit such a milestone as emulating real world trust.
But what of the real world, this supposed Elysium of trust bliss? Nobody assumes that cash can’t still be counterfeited. Nobody assumes that passports and drivers licenses and birth certificates can’t be obtained fraudulently. Nobody thinks that elections can’t be rigged. People get away with all sorts of crimes in the real world, by successfully creating trust relationships that are then abused. We certainly haven’t been able to abandon a vigilant stance in the real world, and I don’t suppose we ever will. So what is it that evokes such reverence in the techie world for real world trust?
Let’s take an example from Mark Wahl’s post. I’m not sure he meant to contrast the two in exactly the way that I’m about to contrast them – but nevertheless, let’s compare the “Trusted Root authority” list on the Windows platform, to the “Trusted Adult” list that Mark pointed to in his post (I’m not sure if this list was taken verbatim from the Netsmartz site, or whether Mark paraphrased – I was unable to see such a list on the Netsmartz site, but I may have simply overlooked it).
As a very simplistic definition, the ‘Trusted Root Authority’ list contains a list of entities that may issue certificates which, when successfully validated by the browser, will result in a “closed lock” icon such as this: 
. Non-validating certificates, on the other hand, will be flagged for attention by the user.
The theory is that while you can’t necessarily count on those certificates to be used in good faith, you should be able to count on the certificates being issued in good faith — and that introduces some level of accountability into the whole affair. There is one extra level of assurance in a certificate that chains to a member of the ‘Trusted Root Authority’ list.
This is a similar concept to many of the members of the ‘Trusted Adult’ list that Mark Wahl talks about. By the documented definition a ‘Trusted Adult’ can be
- family members,
- caregivers,
- family friends,
- teachers,
- counselors,
- coaches,
- clergy members,
- youth leaders,
- and law-enforcement officers.
Obviously, proof of list membership shouldn’t be sufficient assurance to place trust in all cases, just as a little closed lock icon with a blue background shouldn’t be sufficient assurance, a point that Mark makes in his post. When someone displays a police shield, they are evoking a chained certification – but the fact that the person has been issued a badge does not mean that they aren’t a criminal, it only means that in committing a crime they are, in addition to breaking the law, also breaking an agreement that they had with the certifying authority. Possession of a badge gives some amount of assurance to citizens who must decide whether to comply with orders from an individual based on the strength of the backing authority that the person represents, combined with a risk assessment as to what due diligence was done by the certifying authority to ensure that the extra assurance is properly placed. The badge also provides accountability, in case the individual acts in a manner not in accordance with their authoritative position.
Seems to me that the lists have a lot in common.
With regard to the online list, Mark says:
A further danger is that the level of trust provided by path validation will be conflated in a user’s mind with trust of identity providers, and in the future, with the trust of identities issued by that identity provider.
This exact thing happens all the time in the real world. You place initial trust in a cop because you trust the agency he/she represents. You place initial trust in a priest because you trust the agency he/she represents. You place initial trust in a teacher because of the agency he/she represents. But the ‘Trusted Adult’ list cannot be the only metric you use, because these positions have been abused, and because sometimes bad people gain positions of authority. That is life, in the real world and online. Any trust list can only be the first step in a cautious ritual that only the person living it can undergo.
No matter how perfect the system might get, people will need to know how to keep themselves safe, and the more they know and understand the tools at their disposal to expose the bad guys of the world, the safer they can be. They have to be street-smart, discerning and skeptical. Trusting someone/thing after validating their credentials is not perfect, but it is still better than trusting them without validating their credentials. Trust is not simple, and vigilance is required no matter what – all you can do is use the tools at hand to filter out as many of the bad guys as you can. People who don’t understand or use the tools are more at risk.
For example – recently a 14-year-old girl endured 10 days in a hole suffering at the hands of a psycho because she didn’t or couldn’t discern that the hand-drawn police insignia on his shirt was not the real thing. Note that this crime occurred in spite of whatever measures might have been taken by the local police force to ensure that their credentials could not be counterfeited, stolen, or fraudulently obtained. I can see no way in which the police force could have prevented this poor assignment of trust. The psycho used the most grossly low-tech mockery of a credential to pose as a member of the ‘Trusted Adult’ list, but it worked – if only the girl had even superficially validated his credentials, she might have had a warning that something might be wrong. She needed to know what to do in such a case, and her lack of knowledge of the tools at her disposal cost her terribly. The only way to prevent these kinds of attacks is to raise awareness and improve the sophistication of the general populace.
My point here is that we on the technology side can’t do everything. We can only make things harder in the cases where a sophisticated attacker tries to remove the warning signs that a savvy user might recognize. No matter how good our technology gets, poorly educated users will still be at risk. We need to help them understand who to trust, in real life and online, because at the end of it all, whether we are trusting an internet banking website or a chat room pal or a man with a shiny brass badge, we are making a personal choice that has risk attached to it, and nobody can make all of the risk go away… Trust is not a destination, it is an ever-changing journey. In the real world and everywhere else.
Hurray!!!
I’ve been ranting about this for years, mostly in the context of electronic voting. If we can simply emulate electronically that which exists in the real world – we’ll have done a good job. Any improvement we can make is gravy.
-dave
Right. Education is a necessary component. What I think that means is that the process of building a trust relationship cannot be totally automated. It means that
users will have to be active participants in the process. It means that users will have to learn something for themselves so that they can make intelligent decisions while participating in the process. For example, drivers must learn things for themselves in order to safely participate in the concrete Internet. It’s not going to work if they have to call the highway help desk everytime they approach a red octagonal sign.
So the question is, just what are the things and concepts that users must learn for themselves? I’m sorry I don’t have good answers; there are usability folks that are
trying to come up with some. I will say that I don’t think users will have to learn the difference between public and private keys. and that they will not have to learn the definition of “claimant”, and that they will not have to learn what a so-called “root” certificate is, and that they will not have to learn about path discovery and validation, and that they will not have to learn …
The fundamental principle of human engineering applies. Desigh the system such that it is easy for users to do the right thing and difficult to make mistakes. And as far as security is concerned, make it difficult for miscreants to do naughty things.
‘Tis not an easy problem, methinks.
Ok – let me paraphrase your entry about the violation of trust, both on-line and in the real world as:
Blame the victim.
Pretty harsh, even for me, but let us find some quotes to support my position:
“We certainly haven’t been able to abandon a vigilant stance in the real world, and I don’t suppose we ever will. So what is it that evokes such reverence in the techie world for real world trust?â€
“But the ‘Trusted Adult’ list cannot be the only metric you use, because these positions have been abused, and because sometimes bad people gain positions of authority. That is life, in the real world and online. Any trust list can only be the first step in a cautious ritual that only the person living it can undergoâ€
“The psycho used the most grossly low-tech mockery of a credential to pose as a member of the ‘Trusted Adult’ list, but it worked – if only the girl had even superficially validated his credentials, she might have had a warning that something might be wrong. She needed to know what to do in such a case, and her lack of knowledge of the tools at her disposal cost her terribly.â€
“No matter how good our technology gets, poorly educated users will still be at risk.â€
Yep – you squarely put the onus on the violated, rather than the violator every time.
I think that sums up your thoughts on the matter. I think that the optimism, (you *are* an optimist are you not), that the rest of us feel about trust in the online world is that it *should* be better than in the real world. (Yes, I find it surreal to be explaining optimism to you of all people).
Persons who violate trust try to control the information that their “mark†is exposed to – one of the really great things that the internet and computers in general are good at is providing information quickly and at the personal request of someone. It is easy to validate on-line certificates, the reason people don’t always do it is that they do not understand the concept as well as the tools. Those of you in the Identity business should make it easy and effective to make sure that no one ends up in a hole suffering at the hands of a psycho in a on-line sense. I suggest you come up with a better strategy than to blame the victim.
Personally I think we as a society need recourse to punish those that violate on-line trust – I would suggest hitting where it huts, in the wallet.
Don.