|Isn't this fun?|
On Apr 20, 2009, at 7:18 PM, Ken Laskey wrote:
On Apr 20, 2009, at 7:41 PM, Francis McCabe wrote:
Try a different color?
On Apr 20, 2009, at 4:02 PM, Ken Laskey wrote:
see inline. Responding to both Rex and Frank in an inconsistently indented email was even more of a pain :-)
The issue with the comments in word is that they can be hard to spot if you dont have word set up correctly. Then again, who has Word setup correctly?
On Apr 20, 2009, at 11:22 AM, Rex Brooks wrote:
I'm adding my comments inline, after reading
Ken's comments and yours, rather than as replies
to your comments at end. Obviously, I'm tilting
at windmills in a couple of important places.
At 8:58 PM -0700 4/19/09, Francis McCabe wrote:
Commenting on doc files is v. painful.
If we need to hash it, it should be in plain
text. This is from a cut and paste of the
document (the footnotes have been automatically
3.2.3 Trust and Accountability
An important aspect of the relationship between
participants in a social structure is the trust
that they have in their interactions with each
other. Trust arises in situations where one
actor interacts with another actor with the
objective of getting the latter to perform some
task or achieve some goal on behalf[D1] of the
I don't think Trust requires the "on behalf"
clause. Accountability does. I don't think "goal"
applies, RWE does.
Suggestion: "Trust arises in situations where one
actor interacts with another actor and the latter
consents to perform some task to achieve some
Real World Effect in which the former has an
Alternate suggestion: Trust arises in situations where the Trusting Actor can assess that a Trusted Actor will perform tasks necessary to realize desired real world effects.
s/will/can or might/
No, it needs to be will because I want the real world effects and my believing the Trusted actor might perform the necessary tasks does me absolutely no good.
Hmmm. If you are focusing on expected RWEs then I am on board. But there is always an element of doubt in trust; hence the can/might.
An actor may adopt a goal as a result of interacting with another actor.
There is no need to identify whose goal is
adopted or why, so I think this is fine. How the
goals of the parties align is not our concern in
Each actor has goals and I think that is sufficient without bringing in the concept of adopting goals. The term "adopting goals" implies an actor identified new goals as a result of the current interaction. While this may be true in some cases, I believe the actors respond based on already existing goals.
If I ask you to do something, that is a special case of ensuring that a goal is satisfied. If I ask you to maintain a balance in an account, there is a goal but not necessarily any actions. Hence the use of goal rather than action: action presumes that the asker knows what is needed.
I have no problem with your last comment but I still find goal adoption as a concept to be unnecessary and misleading.
RWE is actually quite closely connected to goals.
That's what I've been saying all along and what I included in the Trusting and Trusted model.
If I remember rightly, we do not define RWE in the RA. The RM talks a lot about it but only defines it in the glossary; which is non-normative.
We have gone a lot further than the RM in many ways, and so the current glossary definition needs tuning:
"The actual result of using a service, rather than merely the capability offered by a service provider"
The actual result of performing an action.
A consequence of an actor adopting a goal on
behalf of another actor is that the actor
becomes accountable to the latter for the
successful satisfaction of the goal.
Suggestion: "When an actor consents to adopt a
goal on behalf of another actor, the former
becomes accountable to the latter for the
successful satisfaction of the goal.
This is different from Trust because "goal"
applies, not RWE. RWE may be the result or one
result among others. We need to think this
through because I think Trust is based on RWE but
Accountability is based on Goal which may have
several RWEs or none.
The suggested wording gets into a different issue, the details of the trusted delegate, and it gets confusing to introduce that before we've dealt with laying other groundwork.
An actor is accountable to another actor when
the former consents to achieve an identified 938
It is important to note that the goal adopted by
one actor as a result of an interaction need not
be the same goal as that of the originating
actor. In many situations, the adopted goal is
not all the same and may even be contrary to the
desires of the original actor.
For example, if an actor wishes to use a third
party to securely transmit a message to an
interaction partner, the actor needs the
intermediary to adopt the goal of transmitting
the message, potentially without even being
aware of the actual goals involved.[D4]
The foundation for successful interaction of
this form between actors is their mutual trust
in each other - counter-balanced by the risks
Trust is an actor's private perception of the
commitment [D5] another actor has to a goal
together with an identifiable set of real world
effects associated with that goal.
Obviously, I think Trust applies to RWE not goal.
I don't expect to get this position adopted.
Suggestion: Trust is an actor's private
perception of the commitment of another actor to
the Real World Effect(s) specified in a
transaction or interaction.
I'll go back to the text I drafted earlier: Trust is a private assessment or internal perception that some entity will perform actions that will lead to an identifiable set of real world effects.
Again, I think that there are too many concepts in here. Action may or may not be required. The RWE is the key; if RWE can be stretched to include things that may already be true.
The crux is that the Trusted Actor does something (where the something could be nothing) that will result in the desired real world effect. As I noted previously, I included action in the definition because I couldn't find a useful way around it, and I have yet to see a good alternative.
The beauty of using language around goals is that you can be neutral about the need for action. It is the result that is important, not the means (unless that too is part of the goal).
Typically, it is not important to know how the
real world effect may be realized, as the
specific actions required may be private, but
the trusting actor believes that these actions
will be sufficient to result in the goal being
Trust should not be confused with the simpler,
more technical concept, of one participant
trusting that their partner in an interaction is
who they purport to be. [D6]
Trust Decision[D7] 956
A trust decision is an internal action performed
by an actor to make a commitment to perform an
action in the future.
I like this better than Degree of Balance.
See comment below for D7.
When making a choice whether or not to trust an
actor many factors may be important - an
assessment of the trustworthiness of the parties
involved, an assessment of the risks involved
and a balance of the merits of making the choice.
Evidence of Trust
Evidence of trust is the set of observable
assertions[D8] that a stakeholder may use to
Suggestion: Evidence of trust is the set of
testable assertions which can be measured in Real
World Effects that a stakeholder may use to make
a Trust Decision.
Cut to the chase: Evidence of trust is the set of Real World Effects that an actor [why switch to stakeholder?]may use to make a Trust Decision.
Absolutely not. Evidence has no direct equivalence with a set of RWEs. Evidence is measurable, RWEs are measurable, does not imply Evidence=RWE.
Evidence of trust is the set of observable assertions that an actor may use to make a Trust Decision.
Absolutely not. Evidence has nothing to do with assertions. Evidence may be physical artifacts or a set of information from which the trusting actor can assess the degree of trust.
I meant assertion in the technical, logical sense. Sorry. I certainly did not mean a drunkard's random thoughts.
Trust is based on evidence available to the
trusting actor[D9] . The evidence may be
physical artifacts or a set of information from
which the trusting actor can assess the degree
of trust. The evidence may include a history of
previous interaction with the trusting actor or
can be based on the public reputation reflecting
the experience of others in dealing with the
I'd say "Trust may be based..." Would that it
were so, then we wouldn't have the fiascos we
Trust, as a perception, *is* based on evidence (where The evidence may be physical artifacts or a set of information from which the trusting Participant can assess the degree of trust.) but the evidence or the assessment may be lacking.
A social expression of the perception of trust.[D10]
I agree with Ken. Needs to be crisper: Accumulation of observable results.
Trust is not binary, i.e. an actor is neither
completely trusted nor untrusted, because there
is typically some degree of uncertainty in the
accuracy or completeness of the evidence. Trust
is based on the confidence the trusting actor
has in the accuracy and sufficiency of the
The degree of trust exists as a property of the
trusting actor with respect to another actor or
class of actors; the reputation of an actor or
class of actors may predispose the trusting
actor to a certain extent.
If the trusting actor is aware that actions by
numerous other actors are required in order to
realize certain real world effects, the
collection of trust applicable to each step may
be considered a chain of trust.
Chain of Trust
A chain of trust is an extended set of trust
relationships between actors in which one actor
trusts another by virtue of the fact that there
is one or more intermediaries that are, in turn,
trusted by the original trusting actor and also
trust the target actor.
Agree with Ken. Needs to be tweaked such that
opaque intermediary services are included in the
trust of aggregators.
Actually, I go in the other direction and only bring in a chain of trust if there is a delegate who forgoes opacity and exposes the chain to ensure my trust compensates for risk.
I cannot grok this. Why does opacity matter here? If you can't see, then you need evidence of a different form.
Correct but if evidence is necessarily based on my seeing the entire chain, then I lose opacity for the service provided by the Trusted Actor.
Typically, chains of trust do not extend very
far as the issues involved in perceiving the
true intentions of actors are complex and
Risk is an actor's private perception that
another actor's actions will impede the first
Suggestion: Risk is an actor's private perception
that another actor's actions will result in
undesirable Real World Effects.
Risk is a private assessment or internal perception that certain undesirable real world effects may come into being.
An actor░˛s actions are based on a combination
of perceived trust and perceived risk. If there
is little or no perceived risk, then the degree
of trust may not be relevant in assessing
possible actions. For example, most people
consider there to be an acceptable level of risk
to privacy when using search engines, and submit
queries without any sense of trust being
As perceived risk increases, the issue of trust
becomes more of a consideration. There are
recognized risks in providing or accepting
credit cards as payment, and standard procedures
have been put in place to increase trust or, at
a minimum, bringing trust and risk into balance
by mitigating risk. For interactions with a high
degree of risk, the trusting actor requires
stronger or additional evidence when evaluating
the balance between risk and trust when deciding
whether to participate in an interaction.
[D1]The Trusting Actor wants the Trusted Actor
to do something. It is not necessarily something
on behalf of the Trusting Actor but just
something the Trusted Actor is prepared to do.
Actually, while I agree completely that
actors do what they want to do, I think that
there is no trust involved if there is no
connection between the actors over what one is
going to do for the other.
Not so. You are writing chunks of this RA because you have a goal of creating this guidance/elaboration/... of SOA. You are not doing it for me. From past experience, I have enough trust in you to consider differing views that I am willing to put in the time to interact. I'm assuming you do the same.
And we have no interaction? No connection? By virtue of working on a common activity there is a connection. This is a classic example of a join action. Now, there's a thought... connect trust to join action??
We have an interaction because there is trust.
As far as joint action, we still lack a clear example of a singular action, so I have no way of making the connection.
In the classic example of join action -- jointly lifting a table -- trust is involved is involved because both parties trust the other not to drop the table.
[D2]The Trusted Actor does not adopt the goals
of the Trusting Actor but rather acts according
to its own goals. If the Trusted Actor is
engaged in a phishing con, its goals have
nothing to do with the Trusting Actor's goals.
In many cases, including legitimate ones, the
Trusted Actor already has goals and is merely
acting to satisfy these and adopting nothing.
Again, stipulated that actors do their own
thing; which may well be at variance with the
intent of the trusting actor. However, trust
must be about something that both actors can
relate to. Even if the result is to break the
trust, there must be something to break!
See my comment above to Rex. I agree that trust has to do with acting on understood intent, but that has nothing to do with adopting goals.
Trust without an object of the trust is meaningless. I trust you to do something (or not). There is always a focus to the trust.
You can encapsulate that as communicated intent but what is intent?
I think the definition of intent we have is sufficient for this.
This may be similar to the distinction between a contract that is being negotiated and the executed contract. We use the same term for both, but they are different.
I see a contract in different parts of its life cycle but I don't see how that distinction applies.
In the case of trust, there is this *thing* that is the focus of the trust. It seems to me that to constrain the focus unnecessarily is to break the loose coupling mantra: each concept in the RA should be minimally constrained: sufficiently to capture the meaning and no more. Hence my reluctance to tie trust too closely to RWEs, I think that that is too closely coupled.
But you said trust requires something measurable and changes in shared state are measurable and these are defined as RWE. All that is clear in the RM. Why does referring to established concepts make this tightly coupled? What measurable things do you have in mind that are not in some way connected to RWE?
Adopting a goal is classic multi-agent terminology. But am open to alternate suggestions.
I understand the agent connection but I think we can be clearer without it. We have isolated our reference to agents and using agent terminology can be taken to imply things we do not intend.
[D3]This is only true if accountability is part
of the agreed to interaction. The perception of
accountability is part of reputation.
There very likely to be limits to
accountability. The concept itself refers to the
stance that the actors have to each other after
agreement. I do not think that accountability
should be mixed in with reputation.
As I noted above, accountability is a special attribute of the trusted delegate and in many (most?) cases, we have the interaction among peers with consistent goals and there is no need for a delegate role. We need to talk about this later but after we've laid some other groundwork. I think here is a connection between accountability and reputation, i.e. your history of accountability leads to your reputation, but it's not something that needs to be fully explored.
[D4]Again, if my business is to transmit
messages, I will transmit yours because that is
my existing goal. Transmitting your message
satisfies my goal.
Of course, that is what I was trying to communicate
I was reacting to "the actor needs the intermediary to adopt the goal."
My example was obviously confusing. I was trying to come up with an example of the ambassador mode where the role of the trustee was such that he did not need to know or agree to my actual goal in order to carry out useful contribution to my goals. The trust in the ambassador mode is limited to a form of communication and may not directly further the objectives
Let's stay away from the ambassador mode right now because that brings in other issues when we still haven't resolved the general "adopt the goal".
[D5]A sense of the Trusted Actor's commitment
may affect my perception of trust and risk, but
my trust is in seeing real world effects I want.
The real world effects the Trusted Actor wants
is private to them and not directly my interest.
We are trying to nail down what it means
to trust another actor; not whether or not the
actor is trustworthy.
And I believe nailing it down should be in terms of RWE the trusting actor expects to occur. The well-intentioned goal of the trusted actor may be irrelevant if I don't trust that actor can achieve that goal.
See comment about loose coupling. Agree with second sentence. Clearly competence factors in the trust decision.
See response to loose coupling.
Perhaps. But I do feel that the IT
version of trust is not what we are addressing
[D7]This is akin to the Degree of Balance I introduced
I know. I was trying to codify the
important concepts in trusting someone. I feel
that the decision is the pivot and the evidence
is the lever.
I was never wedded to Degree of Balance as the name, but I think the Trust Decision is based on a balancing of trust and risk. The Trust Decision may be there is insufficient trust for the risk and I will not perform an act in the future.
[D8]Real world effects. What is observable per the RM is shared state.
Shared state is the set of facts that is
potentially knowable by the parties involved.
State itself is observed by making observations
of the world -- a fact in a shared state is
measurable or it is of no interest to us.
A change in shared state, i.e a real world effect, is what is measurable.
Measurement does not itself require a change in state. (Heisenberg aside).
But I believe we have already said that change includes zero change.
[D9]This should be formally defined and used consistently.
[D10]This is too mushy. Prefer defining as an
accumulation of observations of real world
Reputation is inherently social. I am in
favour of tightening this up; but do not want to
lose the social aspect. Reputation, like trust,
is based on evidence but is not the same thing
as that evidence.
I don't think the social aspect needs to be emphasized. (public reputation reflecting the experience of others in dealing with the prospective Participant.)
Can live with this.
[D11]Disagree for SOA. I trust the actor with
whom I interact. The "chain" is typically
private and unknown to me. If the Trusted Actor
wants to expose private details, that may affect
my perception of trust and risk but any
assumption that this is required will violate
This was included because of David's
concerns. Strongly related to service
I think David and I agree on this but he can comment himself.
[D12]You've now introduced objectives! Risk
needs to be in terms of undesirable real world
effects in order to tie all this together.
Sure, no problem. I used it objectives as
short hand for desired RWEs. There is risk of
not producing desired results, and risk of
producing undesired results.
Attachment converted: Macintosh HD:smime 1038.p7s ( / ) (01653AE5)
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
MITRE Corporation, M/S H305 phone: 703-983-7934
7515 Colshire Drive fax: 703-983-1379
McLean VA 22102-7508
MITRE Corporation, M/S H305 phone: 703-983-7934
7515 Colshire Drive fax: 703-983-1379
McLean VA 22102-7508