Firewall Wizards mailing list archives
RE: Transitive Trust: 40 million credit cards hack'd
From: "Bill Royds" <broyds () rogers com>
Date: Sat, 18 Jun 2005 19:46:07 -0400
The problem is that people have never truly analysed trust in a systematic mathematical way. Trust is assumed to be a transitive property when it obviously is not. If Alice Trusts Bob and Bob trusts Charles it is not true that Alice should or would trust Charles. Trust is not even transitive. We seem to see it as a simple relationship when it is not even well understood at all. There has recently been some theoretical work on trust algebras (see http://security.polito.it/cms2003/Program/Roessler13/1Roessler.pdf or http://security.dstc.edu.au/staff/ajosang/papers/algcert.pdf for example) but little of it has filtered into actual practice. Yet we are building whole financial edifices on completely flawed understanding of how to use distributed trust. We need to at least develop some systems that do it right so developers have some way of learning how to create viable systems that can have distributed security. -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of George Capehart Sent: Saturday, June 18, 2005 6:56 PM To: Marcus J. Ranum Cc: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd Heh. Just wait until Web services get widely deployed . . . No one is even thinking multiple trust boundaries yet . . . much less how to make systems operate across them. All the lessons we learned from the DCE, CORBA, Kerberos, SESAME, et al. (about what happens when one crosses trust boundaries (/*within* the organization*/) are about to be learned all over again, but with a much larger population . . . It's going to be a mess . . . And there will be no Plan B because no one has a clue what they're getting into . . . I gave a talk at OWASP last year that touched on this and, out of an audience of a couple of hundred people, only a handful showed that they'd understood the magnitude of the problem. Cheers, /g _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Host based vs network firewall in datacenter Zurek, Patrick (Jun 10)
- Re: Host based vs network firewall in datacenter Devdas Bhagat (Jun 13)
- Re: Host based vs network firewall in datacenter Alin-Adrian Anton (Jun 17)
- Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 18)
- Re: Transitive Trust: 40 million credit cards hack'd Vin McLellan (Jun 18)
- Re: Transitive Trust: 40 million credit cards hack'd George Capehart (Jun 18)
- RE: Transitive Trust: 40 million credit cards hack'd Bill Royds (Jun 18)
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 18)
- RE: Transitive Trust: 40 million credit cards hack'd Brian Loe (Jun 19)
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 19)
- RE: Transitive Trust: 40 million credit cards hack'd David Lang (Jun 19)
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 19)
- Re: Transitive Trust: 40 million credit cards hack'd Darren Reed (Jun 20)
- Re: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 20)
- Re: Host based vs network firewall in datacenter Alin-Adrian Anton (Jun 17)
- Re: Host based vs network firewall in datacenter Devdas Bhagat (Jun 13)
- RE: Transitive Trust: 40 million credit cards hack'd Paul D. Robertson (Jun 19)
- Re: Transitive Trust: 40 million credit cards hack'd ArkanoiD (Jun 29)
- Re: Transitive Trust: 40 million credit cards hack'd Paul D. Robertson (Jun 30)