Trust

The word “trust” appears very frequently in these pages. The concept is ancient and perhaps deserves no special treatment in a technical context. It is however useful to consider how trust arises. One might say that ants trust their nest mates as a matter of genetics; it is thought that they do not recognize each other individually but do recognize nest mates by pheromones.

Axelrod’s “Evolution of Cooperation” studies extremely simple individuals in an environment which provides incentives both to cooperate and to cheat. In broad circumstances, it turns out that simple traits of trustworthiness will dominate in an evolving population. With more complex individuals it becomes necessary to recognize members of a behavior group and incentives arise to signal that you are a member of the group even if you are not.

Trust between humans may arise from a perception of character in the person to be trusted. In other cases one might trust an institution that has manifest a clear business plan to deserve trust. I suppose that this is the original reason that banks built imposing buildings. Some advertising is designed to induce trust. Bonding agents can produce synthetic but useful trust arrangements.

Some people are naturally inclined to trust authority whereas others are just as inclined to distrust it. Hierarchical Certificate Authorities (PKI) appeal to those inclined to authority. Others scoff. Ellison gives independent reasons to doubt hierarchical schemes. Schemes such as PGP’s trust web attract the some, but one must be wary of synthetic webs. Those comments apply as well to “key signing parties” as favored by some in the PGP community. Trust is very messy. It is tempting to assume that it is transitive.

To trust an individual or institution, two things are normally required:

Willingness: Either their incentives or character will lead them to try to do the right thing by you,
Ability: They have access to appropriate technology, know how or sub-contractors.

A frequently overlooked impediment to the latter is the lack of such means. Some institutional charters are not matched by available means. Some institutions want to perform, have the best tools but fail for lack of a solution. Sometimes trying is not enough.

Someone noted that he would trust his money but not his children to his banker, while he would trust his children but not his money to his mother-in-law. I wish my bank were more savvy on authentication.

I think that there are several ways which warrant trusting software:

reading the code
trusting the producer of the code
repeated use (testing) of the code

One may delegate the reading to a third party which may indeed be a program. The Java class verifier is a good example of this. There are better examples but they are not well developed nor widely deployed.

There are many properties that you might trust a program to have. Some of these pages are concerned with trusting that a program will not abscond with our secrets. We do not consider here the issue of trusting the code to produce correct answers except to the extent that security helps correctly written code work correctly by preventing interference from other code.