Trust relationships and scalability

Thesis: Systems grow reasonable well as long as capacities scale in a linear fashion. If a network requires pairwise activity to set up legal or technical trust relationships, then a party will be a bottleneck if the capacity to handle additional contracts is exceeded.

A common principle of making systems scalable is to eliminate factors with over proportional, non-linear growth and bottlenecks that have fixed limits or under proportional capacity to grow. How can this view be applied to the trust level in the Internet?

The simplest model of trust is that of pairwise relationships. Alice, Bob, Charlie, Dave and Eve establish pairwise mutual trust and do this with each new member of the community. The number of relationships is the Gaussian sum of n(n-1)/2, effecting a non-linear growth.

However, this model, often used to show the benefit of public key infrastructures, is not appropriate to the Internet because there are zillions of clients and millions of services, and each client does not need to have trust relationships to all services.

Assuming that trust relationships between partner in an electronic communication in the Internet are viewed in an exhaustive way, trust encompasses not only confidence in the identity of the partner, but data protection (in both directions), non-repudiation and maybe some other objectives. That might even include the “anonymous” user who is profiled for marketing purposes and needs to trust that service providers do not abuse his digital trail.

If the Internet would provide an implicit method to establish trust requiring no effort by users or service providers, how many trust relationships would effectively be used? 5, 50 or 500?

5 is too little, as ubiquitous email, e-government, e-banking, e-commerce, telco, social network and employer already need more than 5; 500 sounds daunting, but the keyring on my macbook already contains 567 login objects, even if a few may be expired. I would take 100 as an uneducated guess for a typical internet user in 2010, but we will never know the number before such an ideal scheme is widely adopted. What ever the number is, it is an obvious limit if the user needs to invest significant effort to set up and keep these relationships.

In a model with asymmetric relationship patterns we experience following bottlenecks:

a)    When adding a user, the user has to add and maintain a significant number (50? 500?) of trust relationships. Even spread over time, this does not work very well. I assume that most users do not read multi-page Terms of Use or License Agreements, and just take the risk of not understanding, or trust the consumer protection laws.

b)    When adding a service the benefit of using the service must outweigh the cost of establish the trust relationship. Applications that are infrequently used by a large number of users typically cannot be successfully launched if there is a significant cost, even in terms of inconvenience, to the user. E.g. most e-Government applications suffer from this problem, because plain citizens have very few contacts to the government per year.

c)    When security requirements are high, users or user organizations usually do not have the capability to properly implement and manage more than one type of complex security agreement. E.g. if a company supplies products to large manufacturers in different industries, they might have to submit to different security regimes that are difficult to align on a practical level. Or end users might be overwhelmed by the duties that different identity management schemes (mTAN from home banking, signature card from government and RSA-token from employer) will ask for.

What will save the world?

Legislation:

A number of requirements in trust relationships could be governed by law, like the European data protection directive, which entitles the user to certain rights. European signature law is another example, albeit less successful.

Pros: What is regulated in legislation does not need to be regulated in contracts. Lawmaking is a defined process.

Cons: Laws tend to be quite general and need to be detailed. There life cycle is long, the flexibility to adopt is less good. Lawmakers be driven by beneficiaries of the legislation that might not be identical with the law “consumers”.

National identity schemes:

Pro: Governments could afford a long-term, strategic investment, even if the adoption will take many years. The Government as source of authority for the identity of citizens and legal entities is a good brand for that type of trust. The government can package a privacy aware policy with the identity scheme.

Con: Centralized policy with little or no participation of users and service providers; Committee-type solutions that do not need to develop the skill to survive on free markets; Focus on government-centric business cases.

PKI:

X.509, PKIX has been around for many years. It comes in many qualities of security, mostly used for TLS in web servers, and can roughly be divided in 2 categories:

  • Trustworthy clients and servers with well-managed key material and solid implementations, typically in security-conscious enterprises;
  • Web-Browsers with key stores installed by the OS-vendor on systems with no defined baseline protection and uneducated users. This type of security is quite easy to break.

Pro: TLS is fairly a common industry standard, well supported in most environments

Con: The technical security relies on organizational safeguards (-> key management, PIN protection) that are neither common nor easy to implement. PKI solved only the problem of confidence in the user’s identity, but not all the other trust relationships.

Federations:

Pros: Might be technology neutral; Interoperability to other federations possible. Federations of Federations should improve scalability by balancing independence with interoperability; Model is closer to real-life legal and administrative structures than other solutions.

Cons: Federations, particularly those with multi-level security schemes, are fairly new.