Glenn,
Thanks for your reply. My response:
Most of your argument below does not get to the heart of the issue. It
seems to be an issue of semantics. You do not like the term Virtual Trust.
You write:
Many of us have argued for at least decades now that more trustworthy
systems and
more trustworthy evidence for the parties to a transaction not being
fooled about the
identity of their correspondents enables more kinds of business.
It seems that you already agree with our thesis: authentication and other
security mechanisms enable business.
I might add: if true, it now appears that prior efforts to describe
authentication as a means to enable business have not made much headway.
It does not appear to be common knowledge amongst information security
professionals.
Perhaps you will find some benefit in supporting the current effort to
explain security as a business enabler.
Thank you for your comments.
Ken
I see no value in suddenly starting to use a term "virtual trust" for
trust given due to evidence produced over wires as opposed to trust given
due to evidence produced by other means.
Trust and the validity of evidence to justify it are meaningful. A new
candidate
buzzword for a concept that has been around for a long time does not.
Many of us have argued for at least decades now that more trustworthy
systems and
more trustworthy evidence for the parties to a transaction not being
fooled about the
identity of their correspondents enables more kinds of business. However
I see nothing
virtual about the trust that is needed. Seems to me it must be real
trust, ultimately
validated by real evidence or statistics showing it is properly granted,
whether granted
by a person or an automaton. Whether a human or an automaton evaluates
evidence for
identity, either must use similar statistics to validate their choices
and either will
probably perform better given more and more varied evidence. If you build
your authentication
systems so that available evidence is excluded, shame on you. But this
observation was published
at least 14 years back, probably further, and depends on there being real
trust, real
evidence, and real ways to tell (at least statistically) whether it is
being conferred
justly. I suspect efforts to separate them obscure rather than elucidate.
Glenn Everhart
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
