comparison with other stored security state mechanisms [was: Re: Sharing Trust Policy between Crypto Libraries]

[Martin Paljak]

On Fri, Feb 15, 2013 at 12:47 AM, Ryan Sleevi <rsleevi at chromium.org> wrote:
> This brings forth the classic question of system administration: If
> the System (OS) says "Trust X", but the System (Admin) says "Do not
> trust X", and the user says "Trust X", what's the (effective) trust
> policy? The Sys Admin would like the answer to be "Do not trust" -
> after all, they are the administrative role for the system.
>
> Conversely, in a world where the System (Admin) says "Trust X", and
> the user wants to say "Do not trust X", then it seems desirable that
> the more restrictive policy is applied.

I think that's super-easy:

always honor the explicit decision of the user, if allowed by the
system administrator. Sysadmin is also a human being, making trust
decisions.

In the context of X509 and "trust" (I hate the word and the way it is
over-/mis-/abused) it is clearer than with other arbitrary settings,
as trust per se is a very personal decision and system administrators
usually step in when the notion of trust does not apply (a
closed-world corporate system, where trust is a centrally managed
property) or needs to be overridden after a catastrophe
(diginotar-style).

I think it is important to separate technical trust (chain validation
and key properties and whatnot) from "human trust" (a decision of an
individual for go/no go built upon the information (technical
properties and name matches etc) provided by some software system).

Sometimes people ask me if I trust the security of the national ID
card system in Estonia, if I believe that the government can be
trusted in not having it backdoored or so (bashing the government
being a popular pastime in most countries) . The answer is simple: for
the purpose of communicating with a government which I don't trust in
getting the basic things right, it doesn't matter if I trust the
technical properties of the solution provided by them.

Martin