Re: [soa-rm-ra] revised trust write-up and response to comments

[Rex Brooks <rexb@starbourne.com>]

As Frank noted, we fought tooth and toenail on the definitions for Trust 
and Risk, so while some of this might be appropriate for inclusion in 
the explanatory text, it is unlikely that we will change the definition 
of Risk. I think this discussion would be highly appropriate to the 
decision process for designing a solution architecture, where the depth 
of accountability needs to be in place for documenting the interrelated 
assessment of Trust and Risk. In that context I would take it further 
and demand that there be measurable evidence for that assessment to 
ensure accountability in decision making.

Cheers,
Rex

Ellinger, Robert S (IS) wrote:
> You only trust if you accept the risk. Accepting the risk is based on 
> probability of occurrence and impact if it occurs. You must trust in 
> your assessment of probability and impact. If those are unknown, I 
> would have a low level of trust
>
> *From:* Ken Laskey [mailto:klaskey@mitre.org]
> *Sent:* Wednesday, August 26, 2009 10:44 AM
> *To:* Ellinger, Robert S (IS)
> *Cc:* Lublinsky, Boris; soa-rm-ra@lists.oasis-open.org
> *Subject:* Re: [soa-rm-ra] revised trust write-up and response to comments
>
> But in the same sense trust is an unknown. Her assessment has to do 
> with her perception of the complexity and amount of time the work will 
> take. My trust (or her trust) in her ability to do the work is based 
> on things that are not precisely known. The uncertainty is discussed 
> at the bottom of the second page.
>
> Ken
>
> On Aug 26, 2009, at 10:32 AM, Ellinger, Robert S (IS) wrote:
>
>> That is because you have assessed and accepted the risk that she will 
>> not get her homework done. Still the unknown is whether she has time.
>>
>> *From:* Ken Laskey [mailto:klaskey@mitre.org]
>> *Sent:* Wednesday, August 26, 2009 10:27 AM
>> *To:* Ellinger, Robert S (IS)
>> *Cc:* Lublinsky, Boris; soa-rm-ra@lists.oasis-open.org 
>> <mailto:soa-rm-ra@lists.oasis-open.org>
>> *Subject:* Re: [soa-rm-ra] revised trust write-up and response to 
>> comments
>>
>> Bob,
>>
>> I have to disagree that “A Risk is an Unknown” pure and simple.
>>
>> I can be very aware of what the risk is and it makes it no less a 
>> risk. My daughter wants to go to a friend's house but if she does 
>> there is a risk she will not have time to do her homework. A very 
>> clearly understood risk with a very clear undesirable RWE.
>>
>> Ken
>>
>> On Aug 26, 2009, at 10:12 AM, Ellinger, Robert S (IS) wrote:
>>
>>> Ken--looks reasonable so far, except for your definition of risk. 
>>> See attached.
>>> Bob
>>>
>>> *From:* Ken Laskey [mailto:klaskey@mitre.org]
>>> *Sent:* Wednesday, August 26, 2009 10:00 AM
>>> *To:* Lublinsky, Boris
>>> *Cc:* soa-rm-ra@lists.oasis-open.org 
>>> <mailto:soa-rm-ra@lists.oasis-open.org>
>>> *Subject:* Re: [soa-rm-ra] revised trust write-up and response to 
>>> comments
>>>
>>> Responses in the attached. In general, I saw no major issues.
>>>
>>> I accepted previous changes in side bubbles to reduce the clutter.
>>>
>>> Ken
>>>
>>> On Aug 25, 2009, at 8:25 PM, Lublinsky, Boris wrote:
>>>
>>>> Small comments
>>>> *From:* Laskey, Ken [mailto:klaskey@mitre.org]
>>>> *Sent:* Tuesday, August 25, 2009 10:47 AM
>>>> *To:* soa-rm-ra@lists.oasis-open.org 
>>>> <mailto:soa-rm-ra@lists.oasis-open.org> RA
>>>> *Subject:* [soa-rm-ra] revised trust write-up and response to comments
>>>> All,
>>>> The attached is a revised trust draft that incorporates pieces of 
>>>> Frank’s text and items for continuing discussions. I specifically 
>>>> added a section on trust related to a Delegate, and I included 
>>>> ideas Frank included in his write-up. I specifically did not 
>>>> include Goal Adoption because I think it is unnecessary and 
>>>> confusing as currently described; my response to Frank’s Additional 
>>>> Comments email goes into my rationale. See some related comments 
>>>> below.
>>>> Note, I modified the Trust & Risk diagram (Figure 2) to include 
>>>> using Reputation for assessing Trust and Risk because otherwise 
>>>> Reputation is simply defined but not used.
>>>> In specific response to Frank, see <KL> as follows:
>>>> <Frank_email>
>>>> Some comments...
>>>> 1. The diagram should say that an actor participates in a joint 
>>>> action. You can’t participate in an action; you perform one.
>>>> <KL>
>>>> Agree and Figure 1 now contains two variants from which we can choose.
>>>> </KL>
>>>> 2. The definition of willingness is somewhat circular.
>>>> Wikipedia uses this definition:
>>>> Willingness: the state of being willing.
>>>> Willing: Ready to do something that is not (can't be expected as) a 
>>>> matter of course.
>>>> Ready: Prepared for immediate action or use
>>>> However, I think that we mean something slightly different:
>>>> Willingness: an internal commitment to participate in a joint action.
>>>> <KL>
>>>> The Trusting Actor is willing to perform an action that is usually 
>>>> expected to be part of a Joint Action, but this can happen 
>>>> independent of (and certainly, prior to) Willingness on the part of 
>>>> other actors.
>>>> Still needed: text elaborating relationship between Joint Action 
>>>> and interaction.
>>>> </KL>
>>>> There is another point that I think is important for SOA:
>>>> There is a presumption of willingness based on participation in 
>>>> joint actions. The fact that an actor participates in a joint 
>>>> action may be taken as evidence that the actor was willing to do 
>>>> so. I.e., we do not try to model /coercion/ in our model of 
>>>> willingness. This evidence of willingness ultimately becomes the 
>>>> foundation for non-repudiation: evidence of participation is 
>>>> evidence of willingness, which in turn is evidence for 
>>>> non-repudiation.
>>>> <KL>
>>>> My initial inclination was to agree with this, but I have 
>>>> reservations. Phishing is an example where participation is not 
>>>> willingness in terms of the actual RWE. Also, willingness is only 
>>>> explicit for RWE known to the Trusting Actor and not necessarily 
>>>> for RWE that is not publicly documented or otherwise known. Thus, 
>>>> the connection to non-repudiation is tenuous.
>>>> </KL>
>>>> 3. The Trust and Willingness diagram draws a trust relationship 
>>>> between actors. I think that they are both inherently ternary 
>>>> relations: trust about some action/outcome. I think that actors 
>>>> assess the evidence to determine their stance to risk and trust.
>>>> We have tended to focus Real World Effect on the effects of service 
>>>> actions: I ask you to do something. But reputation may necessarily 
>>>> have a much broader basis (hearsay, government intervention, etc.)
>>>> <KL>
>>>> Agree and conveying that idea is certainly intended.
>>>> </KL>
>>>> 4. I do not think that we need to go into chains of trust. For the 
>>>> same reason that we don't do much of service composition.
>>>> <KL>
>>>> That was in your proposed text. I tried to incorporate this more 
>>>> fully in the latest revision. See the comment that I included in 
>>>> the text. The range of discussions and examples point to the need 
>>>> for three distinct write-ups: (1) a concise model for trust, (2) a 
>>>> separate discussion of how trust affects interaction, especially 
>>>> composite interactions, and (3) more detailed discussions about the 
>>>> processes and mechanisms involved. (1) is what I am working here, 
>>>> (2) should probably be an addition (if necessary, after PR2) to the 
>>>> interaction write-up, and (3) are separate documents outside the 
>>>> scope of the RA but hopefully elaborations that can build on the RA 
>>>> foundation.
>>>> </KL>
>>>> 5. Co*nsequences of Assessing Trust and Risk* repeats earlier stuff.
>>>> <KL>
>>>> Moved to section 3.x.x.1 and condensed.
>>>> </KL>
>>>> 6. *Trust and SOA:* cut down and move to the beginning.
>>>> <KL>
>>>> I didn’t move this because I think it requires the discussion of 
>>>> trust and risk before it makes sense. However, I’m open to specific 
>>>> suggestions.
>>>> </KL>
>>>> </Frank_email>
>>>> Hopefully, this will enable us to move forward.
>>>> Ken
>>>> --------------------------------------------------------------------------- 
>>>>
>>>> Dr. Kenneth Laskey
>>>> MITRE Corporation, M/S H305 phone: 703-983-7934
>>>> 7515 Colshire Drive fax: 703-983-1379
>>>> McLean VA 22102-7508
>>>>
>>>> The information contained in this communication may be CONFIDENTIAL 
>>>> and is intended only for the use of the recipient(s) named above. 
>>>> If you are not the intended recipient, you are hereby notified that 
>>>> any dissemination, distribution, or copying of this communication, 
>>>> or any of its contents, is strictly prohibited. If you have 
>>>> received this communication in error, please notify the sender and 
>>>> delete/destroy the original message and any copy of it from your 
>>>> computer or paper files.
>>>>
>>>> <trust revised 20090824.docx>
>>> <trust revised 20090824 BL-KL.docx>
>>
>> -----------------------------------------------------------------------------
>> Ken Laskey
>> MITRE Corporation, M/S H305 phone: 703-983-7934
>> 7515 Colshire Drive fax: 703-983-1379
>> McLean VA 22102-7508
>>
>>
>>
>>
>>
>
> -----------------------------------------------------------------------------
> Ken Laskey
> MITRE Corporation, M/S H305 phone: 703-983-7934
> 7515 Colshire Drive fax: 703-983-1379
> McLean VA 22102-7508
>
>
>
>
>


-- 
Rex Brooks
President, CEO
Starbourne Communications Design
GeoAddress: 1361-A Addison
Berkeley, CA 94702
Tel: 510-898-0670