[WG-UMA] Definition of "Trust" (borrowing from TCG)

Eve Maler eve at xmlgrrl.com
Fri Mar 4 11:34:12 EST 2011

This exchange has been chock-full of wisdom so far.  Obviously we can't solve all of the philosophical questions about trust that remain (and it seems like many questions have been answered in decades of literature). Also, different communities have been reusing the same word for different purposes. But I wonder if we can agree on a limited set of terms and concepts that allow us to push our agenda forward.

We've already divided the UMA players into tools vs. parties, which suggests a technical/legal split, something that's come up in the broader trust framework efforts as well. The technical/social/legal trust distinction we discussed yesterday seems promising. Here are those notes again:

1. Technical trust (APIs/"contracts" between software or hardware components – this approaches "compliance" to specs or profiles)
2. Social trust (expectations about responsibilities)
3. Business trust (a model of liability/indemnity that applies to parties whose responsibility rises to the level of "duty")

Would it be outrageous to consider distinct verbs for each, like this?

1. "Technical trust" = Tool A "relies on" tool B for X
2. "Social trust" = Party A "expects" party B to do X (maybe useful for certain TRs we've listed already)
3. "Business trust" = Party A "trusts" party B to do X (presumes testable compliance to assure "technical trust" underneath -- obtains only within hard protocol boundaries)

If we think this has the potential to work, we could have one diagram the tools and what they rely on each other for, and another diagram for the parties and what they expect/trust each other to do.  We could review the specific action verbs in the second column of the trust model document in this light.



On 4 Mar 2011, at 7:47 AM, Mark Lizar wrote:

> ++1
> I very much agree.  I support the relies upon approach for message  
> flows as this reliance dictates the needed notice for each relationship.
> As Jeff and Rainer have done well to point out the flow and direction  
> of the Host and AM relationship needs to be clear for that to be  
> effective to progress these forward.
> On 4 Mar 2011, at 14:11, Thomas Hardjono wrote:
>> Thanks Mark and Rainer,
>> Yes the definition of "trust" can be many and broad :-)   For UMA, I
>> believe we need to focus on building-blocks or modules that can be
>> identified and which has a clear API purpose (eg. expected, inputs,
>> expected outputs/behaviors). I think Domenico's diagram is on track to
>> doing this.
>> So, for example, if a UMA spec states that a User "introduces a Host
>> to a AM", we need to be very exact as to the message flows, parameters
>> exchanged in the message, and the status of information stored at the
>> AM/Host (ie. expected privacy-behavior of entities (AM/Host) when
>> holding User-related data), etc.
>> By doing so I believe:
>> (a) UMA will go beyond OAUTH2.0 as it stands today, and
>> (b) UMA will facilitate (make life easier for) the folks developing
>> Trust Frameworks and writing contracts based on these frameworks, and
>> therefore get faster adoption.
>> /thomas/
>> _______________________
>>> -----Original Message-----
>>> From: Mark Lizar [mailto:mark at smartspecies.com]
>>> Sent: Thursday, March 03, 2011 2:57 PM
>>> To: Rainer Hörbe
>>> Cc: Thomas Hardjono; 'UMA WG WG'; Thomas Hardjono
>>> Subject: Re: [WG-UMA] Definition of "Trust" (borrowing from TCG)
>>> Rainer,
>>> I just skimmed this doc and found it faintly useful for this
>> discussion
>>> of Trust.  I highly recommend getting Piotr Cota's book as it is
>> very
>>> technically detailed and is useful for developing a trust framework
>>> meta-model as it technically discusses all of the elements and their
>>> relationships for what we are proposing with a trust framework.
>>> Trust has 17 different basic definitions.  I think for the most part
>> we
>>> use trust in relation to the definition where expectations exist
>>> between the AU and the AM.  In this context I would suggest that the
>>> term confidence, or reliance is used instead of trust.
>>> as for Trust Relationships referred to here in UMA   is this
>> referring
>>> to a technical trust between technical actors?
>>> With my sociologist hat on, I am of the opinion that the intent of a
>>> trust framework for identity is so that it can be trustworthy for
>> the
>>> management of identity in society.   IF this is true than we should
>>> avoid mixing the technical trust, with the social trust as this may
>>> lead to creating a significant challenge to any effort to create a
>> meta
>>> model of trust frameworks.
>>> When possible I suggest using the term control or confidence instead
>>> of trust  in the technical context we are applying it to here.
>> E.g.
>>> a confidence framework can be developed so that it is trustworthy..
>>> I found this table of contents and foreward summary of Piotr's book.
>>> (attached)
>>> Best Regards,
>>> Mark
>> _______________________________________________
>> WG-UMA mailing list
>> WG-UMA at kantarainitiative.org
>> http://kantarainitiative.org/mailman/listinfo/wg-uma
> _______________________________________________
> WG-UMA mailing list
> WG-UMA at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma

Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl

More information about the WG-UMA mailing list