Opinions from Burton Group's CEO and Research Chair
« Backup Tapes Provide Back Door | Main | Thinking Out Loud About Trust, Part Ia »
 | May 02, 2005 |
Thinking Out Loud About Trust, Part I
Phil Windley’s post about identifiers and identity contexts sparked some great responses, with both Kim Cameron and Luke Razzell over at Weaverluke chiming in with interesting things to say. In that conversation, I couldn’t help but notice Kim’s assertion that he’s “not the world's biggest fan of using the word ‘trust’ to describe the means by which we evaluate the truthfulness of digital identity claims.”
I understand Kim’s lack of comfort with the term. It gets thrown around a lot, in both a social and a business context. Given its deep roots in the X.509 public key infrastructure (PKI) marketecture, the term “trust” also carries an enormous amount of baggage. (The term can imply naiveté, for example, which at least partially explains why Bob Blakley of IBM has said on many occasions that “trust is for suckers.”)
In short, “trust” serves as an all-too-convenient alias for
a lot of hard problems. And in digital identity discussions, it’s impossible to
avoid either the term or those problems. But the various posts I pointed to
earlier (and my empathy with Kim’s statement) got me thinking. If we’re trying
to really define something new—Dick Hardt and others have gone as far as to call it
Identity 2.0—then we should at least hang the old trust rug on a clothes line
and beat the dust and dirt out of it. So I thought I’d think out loud a little
about trust and how the identity contexts and that Phil, Kim, and Luke
discussed affect our perceptions of it, and how we implement it.
In short, the social and business (or government) identity contexts
are very different. And I think it’s fair to say that they present two very
different ways of looking at “trust” and all of the hard problems that lurk
behind the term. I also suspect that at least part of Kim's discomfort relates to a transfer of the term "trust," and all of its baggage, to this next generation of digital identity and its newer social context. Before I start thinking out loud about the social side,
however, it’s useful to start by defining the more well-understood business
side, or at least its current state.
“To Trust Someone is Good; To Not Trust Someone is Even Better”
I first heard the above quote at a SIMC meeting on security
and PKI in 1999. Eliot Solomon, who does a great job of keeping SIMC
running and vital, always has to remind me that it was Sholom Bryski who said
it as part of his presentation at the SIMC meeting. (At the time, Sholom was CTO
of Bankers Trust. If I recall correctly, Sholom was actually quoting a previous
boss of his, but neither Eliot nor I can remember who Sholom was quoting.)
I love the quote because it sums up the business context for
trust very nicely. In the business world, “trust” is actually
about the process of eliminating the need for trust. (Which further explains
Blakley’s quote.) In other words, for businesses,the term “trust” is really shorthand for
surety and risk management.
Here’s how we at Burton Group define “trust” in the business
context: "The willingness of a party to take action based on its relationship
with another party." Far from being based on a “warm and fuzzy” feeling, any
given party’s “willingness” is based on seven building blocks that help
businesses compose secure relationships. As you can see in the graphic below, from the bottom up, these
building blocks are: existing business relationships, legal agreements,
cryptographic key management, assertions, shared policy, technical assurance,
and audit and accreditation.
All of these building blocks aren’t necessary in every relationship, nor do they need to be equally strong in all cases. And the building blocks tend to combine differently in different relationships. If an enterprise outsources an important function, for example, a contract (the legal agreement) should define service levels and what constitutes a breach. That will give the enterprise legal recourse if the service provider fails to fulfill its contractual duties. But let’s say the enterprise in question is a bank. If the service provider’s failure could cause the bank to fall out of compliance with regulations such as the Gramm-Leach-Bliley Act, then the bank is still on the hook, legally speaking, regardless of what the outsourcing contract says. Thus, as is often the case, a legal agreement alone is not enough. In such situations, a bank may want the outsourcer to undergo a SAS 70 audit of the shared domain to establish necessary levels of assurance.
The point of these examples is to underscore my earlier
assertion that, in the business context, “trust” is really about reducing the
need for trust. In many cases, what makes e-business relationships work is the
process of disclaiming liability, assigning liability, and creating a legal
framework for business transactions, including dispute resolution. Businesses
do this so they don’t have to trust each other. They build enough legal and
policy structure to manage and reduce the risk of doing business to acceptable
levels. They know that if things go south, they can fall back on the legal
contracts and other structure that define the “trusted” relationship.
When you consider these factors, I think you can see why Kim is uncomfortable using the term “trust,” especially to a social context. At a minimum, then, we need to start defining how the social context is different (and the same) and how notions of “trust” change in that context. And that’s for Part II.
May 2, 2005 in Identity Management | Permalink
