[cap-talk] Trust Among ETs (was: Capability levels - transparent network extension, no encryption)

Mark S. Miller markm at cs.jhu.edu
Thu Aug 17 19:51:59 EDT 2006 

Jed at Webstart wrote:
> [...] it's
> not surprising that one would think of the network address as something
> that could be trusted.
[out of order]
> I was considering that "open" term to mean that all the systems on the network
> can communicate freely (e.g. no firewalls) with any other systems on the
> network. This notion of "openness" I believe is orthogonal to any concerns
> about the correctness of network addresses. Perhaps there is another term I
> should be using to avoid confusing this notion of "open" from the way you seem
> to be using the term (can't trust network addresses)?

As usual, we need more distinctions than we currently have terms for. I have 
indeed been using "open network" for the kind of ET scenario you mention, 
where you send bits out and you receive bits, but you don't really know who's 
speaking or listening. And, yes, one in which you can't trust network 
addresses. AFAIK, outside this thread on cap-talk, this usage hasn't caused 
confusion. If this seems right to y'all, I suggest that we take "open network" 
to imply these weak properties; i.e., the weak assumptions underlying 
essentially all crypto work.

If you agree, then we still need a term for what you mean by "open". How about 
"fully connected"?


> It is certainly very similar.  There is also a Mach paper from the 
> middle to late 1980s that I
> think describes essentially the same scheme.

Sansom's system, which I mention briefly in section 25.5?


> [...] That's why I published RFC 
> 712 - essentially
> an earlier version of the DCCS description (2/76). [...]

Do you have the text of this rfc itself? I wasn't able to find it just now by 
web searching.


> One example that I've found helpful in this regard is to consider 
> extraterrestrial
> intelligences.  Suppose we have light communication and no other.  We really
> have no idea what's "actually" out there.  If at some point we were to try to
> separate addresses and develop separate trust for different entities out there,
> we could use some means like cryptography to do so (e.g. public key to get
> started).  However, having done so, what trust could/should we really place in
> any such separation?  For all we know it could be one big entity out there
> pretending to be many smaller ones and playing some sort of good guy/bad
> guy game to try to get us to trust in some of the entities to lead us on.

We should, by default, not rely on any claimed separation between the ETs.
However, if they do claim to be separated, we may want to support their
interaction with us in ways that respect their alleged separation. For
example, if we're running a bank and ETs Alice and Bob open accounts in our
bank, our bank's correctness should not depend on Alice and Bob being separate
identities. However, in case they are separate identities, our bank, in order
to provide good service, should enable Alice to keep her money from being
taken by Bob.

In this ET/open network scenario, the bank can differentiate between an 
alleged Alice and Bob according to their demonstrated knowledge of secrets. If 
they are not separate, they can share these secrets with each other. However, 
in case they are separate, the bank should not reveal their secrets to each other.


> There I do think cryptography is the only means for developing such separation,
> but any trust in such separation must be built up from first principles IMO.
> I'm not as concerned with building up such first principles trust as 
> you seem to be.  To me it's just part of life.

I generally assume that initial trusted connectivity is bootstrapped up by 
some out of band mechanism, such as in-person exchange of YURLs on business 
cards. This places things on a sounder basis than is possible in the pure ET 
scenario. However, I also assume that, once introduced, the network of 
introduced entities will interact further over open networks.

Mapping back to your analogy, instead of distant ETs, say we're communicating 
by radio across a galactic civilization that all descends from ships launched 
from Earth. Prior to these launches, keys were exchanged. But after the 
initial dispersal further physical contact is insignificantly rare.

-
Text by me above is hereby placed in the public domain

     Cheers,
     --MarkM

More information about the cap-talk mailing list