Had been planning for a long (?) time already to write something up on the issue of Trust in OSSTMM3© – in particular, how it doesn’t conform with received (abstract) notions of trust and how that’s a bit confusing until one thinks it through wide and deep enough.
First, a picture:
[Controlled to I/O, Vale]
Then, some explanation:
As I get it (now!), the OSSTMM model defines Trust as being an entry into or out of a system/component (objects, processes). The thing you may do when you are trusted. Literally, not the protection wall but the hole in that wall. Which isn’t some opinion thing the holder has of the visiting tourist. Interesting, but troublesome in its unsettling powers.
Dang. Running out of time again to delve into this deep enough – in particular where I wanted to link this to a previous post about identity and authentication … (this post in Dutch). OK. will move on for now, and return later. Already, if you have pointers to resolution of the differences (the whole scale (?) of them), don’t hesitate.
OSSTMM3 (and OSSTMM4) mentions trust in two different manners. First as an element of porosity. It is like asking to do do some one to do something on your behalf. If the trusted person spoils it, the trustee is the one that is stuck with the mess. You can read about it in the OSSTMM in the chapter about Security Metrics. This is a kind of trust that you can control pretty well by implementing security controls. The other type of trust is described in the OSSTMM in the chapter about trust. It tells you how trustworthy someone or something is, based on objectively determined characteristics. Following this method you won’t find if someone is either trustworthy or not, but you will find how much reason you have to trust that person. If that someone is not trustworthy enough, it also explains what can be done to increase the level of trust. You can’t control this kind of trust, but you can create rules that help to increase the trust.
Thanks Cor for the explanation. The expansion that the post needed … Interesting to see how OSSTMM’s Trust will be linked into the (ever repeating but lately, at last achieving *some* progress in results for) the research on ‘federated identity and trust on the Internet’ — as the characteristics will increasingly (if not already completely) be pulled of the ‘Net. It may work ..!