Re: Security as an Enabler - Virtual Trust: AnOpen Challenge to All InfoSec Professionals

[<Glenn.Everhart () chase com>]

I see no value in suddenly starting to use a term "virtual trust" for
trust given due to evidence produced over wires as opposed to trust given
due to evidence produced by other means. 

Trust and the validity of evidence to justify it are meaningful. A new candidate
buzzword for a concept that has been around for a long time does not.

Many of us have argued for at least decades now that more trustworthy systems and
more trustworthy evidence for the parties to a transaction not being fooled about the
identity of their correspondents enables more kinds of business. However I see nothing
virtual about the trust that is needed. Seems to me it must be real trust, ultimately
validated by real evidence or statistics showing it is properly granted, whether granted
by a person or an automaton. Whether a human or an automaton evaluates evidence for
identity, either must use similar statistics to validate their choices and either will
probably perform better given more and more varied evidence. If you build your authentication
systems so that available evidence is excluded, shame on you. But this observation was published
at least 14 years back, probably further, and depends on there being real trust, real
evidence, and real ways to tell (at least statistically) whether it is being conferred
justly. I suspect efforts to separate them obscure rather than elucidate.

Glenn Everhart


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk]On Behalf Of Dave "No,
not that one" Korn
Sent: Thursday, September 28, 2006 9:43 AM
To: full-disclosure () lists grok org uk
Cc: bugtraq () securityfocus com
Subject: Re: [Full-disclosure] Security as an Enabler - Virtual Trust:
AnOpen Challenge to All InfoSec Professionals


Kenneth F. Belva wrote:
> I've been defending Virtual Trust as an enabler for the past three
> days on the full-disclosure list. So far, fairly successfully.

  An enabler *of* anything in particular?  Or just some kind of magic 
enabling pixie dust, good for all purposes?

> Here's the challenge: How creative are you *for* VT, *against* VT and
> determining the *impact* of VT?

  What does "being creative *for*" something even mean?

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


**********************************************************************
This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from 
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, 
copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY 
PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that 
might affect any computer system into which it is received and opened, it is the responsibility of the recipient to 
ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and 
affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in 
error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard 
copy format. Thank you.
**********************************************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/