[OpenID] Web of trust mathematics
Peter Williams
pwilliams at rapattoni.com
Sun Aug 12 01:02:02 UTC 2007
Anyway, the phrase "computable confidence metric" prompts me
to mention the work of Audun Jøsang. I've already mentioned
this on Story Henry's blog, but this looks like another opportunity.
Among other things, his work attempts to actually measure the
notion of "confidence" (or "trust").
------------------
I have a different doctrinal backgournd, inherited from NSA COMSEC notions. Before anyone gets upset by any of those letters, try to remember that the infosec-centered codes in that agency are staffed by well-trained computer-scientists, mostly.
Anyways, one can make deeper more more refined conceptual analysis which draws engineering clarity to the various dimensions of control:-
- having generated trustworthy key
- having assigned risk metrics to sensitive objects
- having accredited the systems
- having trusted the keying material
- having identified the party
- having authenticated your peer
- having authorized a principal
YOU will now make a confidence judgement before making an access control decision. It will take into account, all of the above.
Ok. that was all described in an NCSC color-book publiction in the mid-80s; Ive long since forgotten which color. The trick was to use the cipher-based control system itself to do the computation of that confidence metric, so that this ultimately-most-trustworthy component could be formally analysed, being small and contained.
More information about the general
mailing list