March 15, 2005

Trusting a computer system ...

I do it all the time: bring up the website, notice the little lock icon, sometimes view the information about the certificate (mostly to see if it's expired), and then type in my credit card number and buy something. I know a bit about how this all works, but the recent Unicode / IDN character spoofing set me back a bit. How am I to know what kind of transaction is occurring, and with whom?

My good friend Dennis Hamilton (a.k.a. orcmid) has just announced TROST: Templates for Raising Open-System Trustworthiness, his M.Sc in IT dissertation project, and this is going to be a project worth watching. Dennis explains the trustworthiness aspect:

We all know trustworthiness when we see it, right? Maybe not. Starting out, I am looking at trustworthiness in terms of human arrangements for mitigation of the risks of everyday and not-so-everyday life. There is, most of all, the risk of dealing with each other, especially at a distance. I foresee a mapping into trustworthiness projected onto artifacts. I am not willing, at this point, to take my eye off of the ultimately human and social nature of trust and trustworthiness.

I agree completely. Trust is ultimately something only a person can confer. I trust you with some information about my personal plans. I ask you not to share that information and I'm trusting that you will honor that request. It's a trust relationship because you can choose to do whatever you want with my information and my request. I give my credit card to a server at a restaurant and trust that they will not write down the information and use it elsewhere. They could choose to break that trust.

However, when I enter my credit card information onto a web page I'm hoping that the system works as I think it will, and not expose my credit card number in ways that compromise its security. But the computer system is not making any choices about whether or not to secure or expose the information; it's just following a procedure. The procedure could be flawed, or even compromised, but the computer is not exercising choice in the way a restaurant server is.

So I'm very interested what Dennis explores, discovers, and shares. I know it's going to be a very useful piece of work in our continuing efforts to build reliable computer systems and infrastructures that I can really depend on.

Other related projects: Mary Hodder is talking about trust at SXSW. Kaliya Hamlin is promoting identity practices. I know there are many others; I can't keep up.

Posted by Bill at March 15, 2005 10:22 AM
Comments

Agree and disagree.

While in general the betrayal of trust by the waiter may be more overt, or an act of comission than the "betrayal" because of the computer, which may be due more to omission, both are possible.

You should look along the omission - comission axis as well as the human - machine. And being an advocate of all-things-in-threes, we may need to define a third axis as well.

Posted by: Marty McGowan at March 28, 2005 12:23 PM