Coverage AreasServicesAbout UsPressClient AccessComplimentary ContentContact Us
Burton Group Home  


Burton GroupPress
 About 
 Categories 
 Burton Group News
 Digital Rights Management
 Directory Services
 Essays & Columns
 General
 Identity Management
 Infrastructure
 Personal Notes
 Science
 Security
 Web services
 Recent Posts 
 Hurry, Get 'Em While They're Hot!
 Signs of the Times?
 Seriosity Looks Interesting
 IdPS Blog is Up
 Microsoft's Open Specification Promise
 Cloning RFID Passports
 The End of This Story?
 Can You Say "BackLash"?
 What About Bob?, Part II
 On Blakley
Jamie Lewis - CEO and Research Chair
Opinions from Burton Group's CEO and Research Chair

« Thinking Out Loud About Trust, Part I | Main | Turtles All the Way Down »

May 04, 2005

Thinking Out Loud About Trust, Part Ia

Several folks responded to my previous post on how trust works in a business context. While it’s safe to say that the social and business contexts are different, for example, Phil Windley points out that they also share some interesting dynamics. Dan Blum said much the same thing. While no individual has the resources to measure what a business can measure, Dan says that “in either context, risk levels equate to surety levels, which equate to requirements for establishing 'trust,' or whatever you want to call it.”

I conceded in my original post that the term “trust” is so ingrained that it may well be impossible to find an alternative. Dave Kearns hopes we can find something else, and that would be fine with me too. (Although my indoctrination by excellent grade- and high-school English teachers causes me to recoil at his suggestion of “trisk” – a combination of trust and risk.) P. T. Ong chimed in with a definition as well, and agrees that “trust isn’t a good term to use in a technical discussion.” 

In his post, Phil Windley engaged in the interesting exercise of restating an example he used earlier, but this time without using the word “trust.” He appears to have succeeded. The example demonstrates using identifiers “out of context” to bootstrap a relationship. A clerk in a coffee shop asks a customer to see a form of ID (a credential) along with the credit card to reduce the risk of fraud. Here’s an excerpt from Phil’s restatement of the example:

The clerk expects that you will produce a credential that is easily authenticated. Moreover, the clerk will evaluate the level of risk based upon his perception of the level of care the issuing organization has taken to vet the person in the credential, the organization’s familiarity, and how difficult the credential is to fake. 

The clerk is gathering evidence, even though he might not think of it that way, and evaluating the evidence in an effort to reduce the risk and gain surety that the transaction will be honored.

Many stores have started asking for a driver’s license when I want to use my credit card, for obvious reasons, so this is a great example. The one word Phil didn’t use, though, and one I like a lot in its various forms, is “rely.” (It does, however, have a prominent place in P. T. Ong’s definition of trust, which appears to be consistent with Phil’s example.) In the example, the business has decided “to rely” on the third-party credential. By extension, the business has also decided to rely on the processes that the issuer used to establish an acceptable level of probability that the person applying for the credential isn’t perpetuating fraud. (As Eric Norlin points out, it is this “vetting” problem “is the house of cards foundation that we're all building upon.”) 

And that leads to one small clarification I’d like to make with regard to Phil’s example: The clerk is simply following a policy established by someone else in the business. That policy constitutes a conscious decision by the business regarding what credentials to rely on in an effort to reduce the risk of fraud. As Phil points out, the clerk may not think of the process in those terms. But you can rest assured that the person setting the policy does. Phil’s example implies this, but I think it’s worth making this point explicitly. It demonstrates clearly that what we call trust is really about reducing risk.

Perhaps, over time, we will come to see what we see as “trust” today in a business context as degrees of reliability. Where “trust” can imply a level of naiveté, “degrees of reliability” implies, at least for me, the different levels of risk management, which are appropriate for different kinds of relationships. It also nicely encompasses both ends of the relationship. On one hand, the relying party (the business the clerk works for) decides how much it wants to rely on a third-party credential. At the same time, “degrees of reliability” also implies a reputation, or even a graded system by which relying parties could determine what parties they should rely on. More food for thought.

May 4, 2005 in Identity Management | Permalink


 

HomeTerms of UsePrivacy PolicySite MapFeedback © 2003 Burton Group. All rights reserved