TRUST and Identity

My presentation at the West Coast Security forum went well.  I will post some more detailed updates at a later point but for now I will share the “fable” that seemed to hit the mark.

Every year my wife and I have a Christmas Party.  Now, in the Caribbean, where a great proponent of our party go-oers have their ancestral roots, there is an unspoken assumption.  This unspoken assumption tells you that if you invite a person, you have also invited their sister, their sister’s husband, and the cousin who just flew in the other day.  

I am comfortable with the original party go-ers I invited, we will call them the OPG’s.  I know them.  I trust them.   I also know I could track them down if something goes wrong. 

But these other people, the univited, are somewhat of an enigma to me.  The OPG’s obviously trust the uninvited and vouch for their integrity. Since I trust the OPG’s I, to a certain extent, transfer this trust to the uninvited.  
Nevertheless, as the uninvited cross my threshold some would say that, all my misgivings aside, I now trust them.

This is just wrong.

Just because I know who they are doesn’t mean I trust their intent.  As the verifier, I carry a considerable amount of personal baggage.  Didn’t one of the OPG’s trusted friends destroy my house Last time?   When was the last time the OPG actually spent time with his or her cousin?  What are my chances of seeing this cousin again if he flies back to the sunny Caribbean.

What has inspired me to let these people in my house is not my trust in them but trust in the precautions I took before their arrival.  I spent a little extra time cleaning the downstairs bathroom to make it more appealing than the upstairs one, I put away the good china, I locked my wife’s jewelry box away and most importantly I hid all my fifty year old rum.

So this, to a certain extent is the irony in Identity Trusts.   The actual driving force that allows me to trust identity is not successful authentication rather it is the confidence in my access controls to prevent malicious behaviour.

 I could care less that Bob is Bob.    This doesn’t mean that it isn’t nice to know that Bob is Bob.  Known his identity creates accountability.  Accountability shapes Bob’s behaviour when he is in my house.  Accountability gives me a name to follow-up with if something gets broken. 

The caveat, however, is my knowledge of Bob’s identity doesn’t guarantee I can make Bob pay.  For that I still have to go through an expensive and time consuming court case.  That is a hassle and makes my knowledge of his identity less valuable then my preventative measures.  In reality, the biggest reason that I let Bob in my house is because I know, even if he wanted- he could not get access to my prized rum collection.

The house party fable applies nicely to the trend of federation and cross enterprise SSO, especially in the case where hundreds of thousands of identities may wiz across a network. Ultimatley,  The fable shows us two things:

-The truth of claims can never be absolute.
-identification in of itself does not determine trust

In the case of the former:
-People Lie or can be corrupted
-Passwords are “cracked” or given-up
-Tokens can be lost or stolen.
-Body parts can be removed.

In the case of the latter:
-Identity systems do not determine intent.
-Most Identity management systems do not have reputation systems.
-Most Identity Management systems do not have dynamic entitlements
-And finally, Access Control is often poorly implemented.

More in a later post. . .