From: norm@netcom.com (Norman Hardy)
Date: Tue, 20 Apr 93 15:46:00 PDT
To: cypherpunks@toad.com
Subject: Webs of Trust vs Trees of Trust
Message-ID: <9304202246.AA26311@netcom2.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


I have worked with the NCSC (National Computer Security Center)
on certifying operating systems according to the "Orange Book".
 
As I understand RIPEM there is a tree of agencies such that everyone
must trust all elements of the tree between him and the root.
This is much ingrained in all of the legally mandated security
systems that I am aware of. It assumes, at first glance, that there
is a root, an inner sanctum, which is totally trusted by all.
 
The Orange Book for operating system security has such assumptions
embedded deeply. We had to essentially weeken our security features
by disableing our "mutually supicious user" logic to meet their
requirements.
>In <40485.pfarrell@cs.gmu.edu> Pat Farrell says:
>At this Fall's National Computer Security Conference, Mr. McNulty
>was a speaker on the NIST's digital signature session. They talked about
>both the non-RSA DSS, and use of Certifying Authorities with a RSA-based
>scheme.
>>At that same conference, I gave a paper on security that described
>a fishnet of trust between systems. This was written in February 92,
>well before I read Phil's "web of trust" from the PGP docs, which I
>read sometime over the summer.
 
>During the Q&A, I asked Mr NcNulty to compare the advantages and
>disadvantages of a heirarchical CA approach to an interlocking fishnet/web
>of trust. I hoped he would at least recognize that any heirarchy has
>problems from the top down if an upper level is compromised. Instead,
>he could not address any differences. I believe that working in the
>government has made the hierarchy seem to be the only implementation that
>he envisioned. He fobbed the question off to one of his technical
>underlings, but he, too, was unable to answer it (or even coherently
>address it).
 
It is a pervasive mind-set in military security.