General discussion


Just How Trustworthy Is A Trust Vendor?

By dotxen ·
A Question Of Trust

Robb Kimmer
May 5th 2005

Houston, we have a problem?

Speaking to a representative of Verisign, at the London InfoSec exhibition last Tuesday, I posed this question. How can you provide an impartial ?trust? when the object of that ?trust? is paying you? This simple question was not answered clearly or precisely. In fact, the representative admitted that he too had wondered at times about this very dichotomy.

As a network systems engineer and security consultant, I have always had a problem with the impartiality of companies selling trust to companies needing trust. My contention is simple: if I sell you something it will be commensurate in value with its price. You, as the client, will pay to the value that the object represents to you and the use to which you wish to put it. Therefore, there is a commercial reality at work here and it cannot be equated with impartiality. This means, logically, that the transaction is based primarily on value and not on impartial trust. If you accept this thesis it removes any value from the exchange in terms of trust and becomes a mere transaction. This compromises the certificate of trust from the outset.

The danger here is obvious. If I, as a purchaser of trust, am prepared to pay a price demanded by a vendor of trust, such as Verisign or Thawte, for that trust, then the object of this transaction is invalid. How can anyone trust the third party validator (the company that sold the trust) in a transaction, when that validator is a party to a previous commercial transaction with either the host or recipient of the transaction in taking place? This sounds a bit complicated, but it really isn?t. No-one, it seems, has ever questioned the nature of the arrangement between a company that needs to acquire a certificate of trust and the company that sells certificates of trust. My opinion is that in a commercial transaction of any type there can be no impartiality. The fact that there is more than one vendor of trust is irrelevant because all vendors of trust are commercial entities.

I am not suggesting that Verisign is corrupt or that their certificates are invalid in terms of impartiality. I am posing a question that has bothered me for some time and as yet, I have not satisfied that question and neither has any vendor of trust been able to assuage my fears.

Every day, Verisign and other vendors of trust are doing business with companies all over the world. These transactions are normal business transactions and are subject to the rigours of normal commercial business. If Verisign does not make a profit, then it goes out of business. There is a pressure there to make sales. Verisign ?sells? trust. This is the one factor that I cannot equate with impartiality. If my question cannot be answered in its entirety, and impartiality cannot be proven 100% with no doubt attached, then Houston, we have a problem! Every transaction that requires a certificate of trust is less than 100% trustworthy if part of the decision to issue a certificate of trust was based on a commercial transaction driven by the, natural and normal, profit motive.

Can we trust the certificates that we assign to our transmissions and transactions daily? I am not sure. And that is a problem for all of us working in the industry.

Robb Kimmer is a Network Systems Engineer and Consultant working in the UK. He runs MilMates Training Company and contributes articles to many magazines and web sites. If you want to contact Robb use this e-mail

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Well you've got trust the third

by Tony Hopkinson In reply to Just How Trustworthy Is A ...

party to desire a long term business.
As soon as a certification authority gets a label for certifying the untrustworthy, that means anyone cerified by them would have to be considered untrustworthy

Collapse -

Perceived vs. Actual Value

by Praetorpal In reply to Just How Trustworthy Is A ...

Is a trustworthy product less so when it becomes a commercial entity? Have are perceptions become tainted by years of vendor hype in the security and o/s markets?

The security market is not allowed to function as a consumer powered free market because vendors do not necessarily trumpet product vulnerabilities. If it were mandatory to report all security breaches and the technologies involved,(weeding out human error) the best products could be recognized. As of now, the term "never had a published vulnerability" may mean that they just never admitted publicy that they had been breached. The "stealthy" persona is part of this game.

This is one of those areas that probably relies on "gut checks" as a guide.

Related Discussions

Related Forums