[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Security as an Enabler - Virtual Trust: AnOpen Challenge to All InfoSec Professionals

I see no value in suddenly starting to use a term "virtual trust" for
trust given due to evidence produced over wires as opposed to trust given
due to evidence produced by other means. 

Trust and the validity of evidence to justify it are meaningful. A new candidate
buzzword for a concept that has been around for a long time does not.

Many of us have argued for at least decades now that more trustworthy systems 
and
more trustworthy evidence for the parties to a transaction not being fooled 
about the
identity of their correspondents enables more kinds of business. However I see 
nothing
virtual about the trust that is needed. Seems to me it must be real trust, 
ultimately
validated by real evidence or statistics showing it is properly granted, 
whether granted
by a person or an automaton. Whether a human or an automaton evaluates evidence 
for
identity, either must use similar statistics to validate their choices and 
either will
probably perform better given more and more varied evidence. If you build your 
authentication
systems so that available evidence is excluded, shame on you. But this 
observation was published
at least 14 years back, probably further, and depends on there being real 
trust, real
evidence, and real ways to tell (at least statistically) whether it is being 
conferred
justly. I suspect efforts to separate them obscure rather than elucidate.

Glenn Everhart


-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx]On Behalf Of Dave "No,
not that one" Korn
Sent: Thursday, September 28, 2006 9:43 AM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Security as an Enabler - Virtual Trust:
AnOpen Challenge to All InfoSec Professionals


Kenneth F. Belva wrote:
> I've been defending Virtual Trust as an enabler for the past three
> days on the full-disclosure list. So far, fairly successfully.

  An enabler *of* anything in particular?  Or just some kind of magic 
enabling pixie dust, good for all purposes?

> Here's the challenge: How creative are you *for* VT, *against* VT and
> determining the *impact* of VT?

  What does "being creative *for*" something even mean?

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


**********************************************************************
This transmission may contain information that is privileged, confidential, 
legally privileged, and/or exempt from disclosure under applicable law. If you 
are not the intended recipient, you are hereby notified that any disclosure, 
copying, distribution, or use of the information contained herein (including 
any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and 
any attachments are believed to be free of any virus or other defect that might 
affect any computer system into which it is received and opened, it is the 
responsibility of the recipient to ensure that it is virus free and no 
responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and 
affiliates, as applicable, for any loss or damage arising in any way from its 
use. If you received this transmission in error, please immediately contact the 
sender and destroy the material in its entirety, whether in electronic or hard 
copy format. Thank you.
**********************************************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/