Wednesday, May 04, 2005

fyi A thread you should follow


Pointer to blogpost:

Kobielus kommentary:

If you notice that I’m only kommenting on Kim Kameron blogposts recently, you’re not mistaken. Considering that he’s konsistently kommenting on the kommentary koming from the IdM kommunity, and I kount myself as one of that bunch, Kim’s Identity Blog is my primary “if you only read one blog today” stop. Also, I’m bored by the industry news right now, and don’t feel much like kommenting on what I read therein. Though I read that krap too.

Much as I respect the work that Dan Blum and Trent Henry do, I take issue with their definition of “trust” as "The willingness of a party to take action based on its relationship with another party." It’s a good half-definition, but it misses the essential flipside of the “trust” relationship—the ability of a party to take action based on compromise, violation, abuse, or abrogation of its relationship with another party—in other words, the ability of a party to seek reparations, restoration, and/or damages when the ground rules laid down in existing business relationships, legal agreements, assertions, and shared policy are trashed and trust is violated. It’s in that context that we rely on cryptographic key management, assertions, technical assurance, and audit and accreditation infrastructure/arrangements to establish accountability for violation of that trust.

To trust someone is good. To extract a pound of flesh from the one who violates trust isn’t better. But it’s necessary on occasion, and it must be in our power if we’re every going to trust anybody ever over anything.

Trust isn’t about reducing the need for trust. It’s about reducing the need for lawsuits when people and organizations refuse to be held accountable for violating the trust placed in them.

Trust infrastructure provides the ammunition for enforcing accountability. It really should be called “accountability infrastructure”: PKI, directories, IdM, assertions, claims, keys, etc. It facilitates the legal discovery, case-building, ass-nailing, and asset-impoundment that is necessary if, God forbid, somebody violates the trust.

No. Burton Group’s doesn’t need to change their reportage on this topic. “Trust infrastructure” is an industry term of art that’s well understood. The term “trust” should only be used as an adjective to modify “infrastructure.” As a stand-alone noun, it should be avoided, in favor of “accountability,” or, more broadly, “mutual risk management.”

Trent: Monaco was fun. A last long walk and talk up and down the hills and bluffs. Thanks. Say hello to Pauli for me. And Fred, of course. Some day, maybe we’ll continue the conversation. Maybe some day soon.