[cryptography] Let's go back to the beginning on this

Ben Laurie ben at links.org
Thu Sep 15 16:36:19 EDT 2011


On Thu, Sep 15, 2011 at 7:16 PM, Marsh Ray <marsh at extendedsubset.com> wrote:
> Zooko said something the other day that has really stuck with me. I
> can't get it out of my head, I hope he will give us a post to explain it
> further:
>
> https://twitter.com/zooko/status/108347877872500737
> "I find the word "trust" confuses more than it communicates. Try Mark S.
> Miller's "relies on" instead!"

One great virtue of this terminology is that it leaves no doubt as to
transitivity. If A relies on B and B relies on C then there is no
possibility that A could not rely on C!

On a historical note, I think I may lay claim to that distinction (I
distinctly remember encouraging Mark to not use "trust" and instead
use "relies on" or "is vulnerable to", which makes the relationship
crystal clear, in a conversation in a car with him and Jonathan
Shapiro back when I first met him at Johns Hopkins).

Anyway, there are two separate questions:

1. How do we increase our trust in these parties we rely on? Right
now, we really have absolutely no reason to trust them. Possible
answers to this, of course, include changing who we rely on. But they
also include changing how we decide who we rely on (in context,
perhaps).

2. How do we decrease reliance? This is the great virtue of the
capability view of the world: if B could be decomposed into B1 and B2,
of which only B1 relies on C, then A can truly know that when it
interacts with B2 it is not relying on C. Capabilities encourage this
kind of decomposition naturally, and it doesn't matter if A is unaware
of the decomposition: he still has a reduced attack surface.

Much of the discussion on this list has been about 1. I truly believe
that 2 is a better focus, particularly when you start thinking about
how you percolate this kind of infrastructure up to the level of the
user.



More information about the cryptography mailing list