Army signals security & "Clansmen" series radios

Owen Lewis ukcrypto at maillist.ox.ac.uk
Thu, 7 Sep 2000 22:26:17 +0100 

----- Original Message -----
From: "David Swarbrick" <david@swarb.freeuk.com>
To: <ukcrypto@maillist.ox.ac.uk>
Sent: 07 September 2000 19:39
Subject: RE: Army signals security & "Clansmen" series radios


>  Does not the nature of the 'web of trust' encourage the
> recognition of the inherent weakness of all trust systems.

I do not believe that to be true for most of the web of trust users I have
spoken to over the last nine years.
>
> Your military background seems to have encouraged in you a belief that
there
> are people - superiors - who are to be trusted, but to the extent that you
> hold that view, I cannot share it.

You may believe that to be my view but if so you are mistaken. I believe
that all transactions in information should be based either on nil trust or
on limited and conditional trust.
>
> I find the top-down trust models inherently scary. They are distinctly not
> based upon trust but on the feeling of some sort of compulsion. 'You will
> trust me' A soldier does what he does not because he trusts the officer,
but
> because he bloody well just must. It works as an equivalent to trust in
all
> respects save that it just isn't trust. At its enlightened best it can be
> authority.

No. The value of the stictly hierarchical model is that it sets clear bounds
to the trust placed on the sharing of information both within the hierarchy
and across its boundaries. For the former, the hierarchy determines quite
precisely to what level and, to a lesser extent when information may be
shared. This is neither good nor bad in any meaningful sense. It is simply
very useful in seving a common hierarchical purpose.

However, as discussed obliquely with Brian in another post, it is distinctly
unhelpful - obstructive even - where information should be shared between
independent hierarchies which are, in no meaningful and binding sense,
responsible for their actions or inactions to a common centre.

Government - indeed much commercial activity - benefits from using
hierarchical models. PK (hybrid) cryptography's overriding virtue is that it
it can function technically very well without any hierarchical organisation.
The points I ponder in this thread are:

        1. Whether PK systems are the cryptosystems best suited for use
within hierarchical organisations. I tend to believe that they are not and
the evidence to date seems to be that many others think similarly. That is
not the same as saying that I am certain.

        2. How, outside of a hierarchical organisation, are the limits of
trust to be satisfactorily defined. If they are set personally, that is no
standard, since the quality trust actually maintained must always fall to
the level of the least trustworthy when information is shared and where the
sharing is between parties unknown and who cannot be held.


All security systems have weaknesses. The weakest seem to be those where
reliance is placed on human maintenance of the level of security that is
assured by the inhuman parts of the system. It would seem to follow
therefore, that a diminution of a human capacity to betray trust is an
important goal in the design and management of any secure system. Without
some form of hierarchical structure and in the hands of the general public
one probably sees the capacity to betray trust at its greatest though,
thankfully, not to its most serious effect. I can see that this is not a
warming touchy-feely thought but that such thoughts are not what secure
system design, evaluation and management should be about.

Regards,

Owen