/ risk

Transitive trust and risk

"... and of course we have set transitive trust between different sources of identity" said he with a glee. That's when I knew for certain I was not speaking with someone that has had a long and successful track record of setting up identity management in an enterprise environment.

Information security practitioners will often roll out the old and tired "transitive trust is bad" adage. Unfortunately the line is parroted too often without understanding why transitive trust is bad.

Trust and related terms###

Let us examine definitions of a few pertinent terms related to trust. The below is taken from the well established academic literature on trust.

Trust: the intention to accept vulnerability to a trustee based on positive expectations of his or her actions. In other words, if you trust someone you are at risk that your trust is misplaced. The degree of this risk is based on trustworthiness.

Trustworthiness: the ability, benevolence, and integrity of the trustee. Example: if you're a pillar of the community your trustworthiness is high. If you're a lying, thieving scoundrel then your trustworthiness is appropriately low.

Trust propensity: the dispositional willingness to rely others. Example: some people willing to trust complete strangers with their secrets right after a handshake. Those people have a high propensity to trust.

Example scenario###

Imagine the following trust relationship:

  1. "A" trust "B".
  2. "B" trusts "C".

Normal trust relationship: "A" does not trust "C".
Transitive trust relationship: "A" implicitly trusts "C" because "A" trusts "B" and "B" trusts "C".

Trust relationship places "A" in vulnerable position with regards to "B". "A" typically only enters such relationships if "B" is deemed highly trustworthy or if "B" is similarly going to be in a vulnerable position with regards to "A". In organisational scenarios trustworthiness is measured in lines of legal code in a contract and the ability to enforce that same contract.

Transitive trust###

"A" does not have any reciprocal relationship with "C", nor is "A" aware of, or formally informed of, "C"'s trustworthiness. That combined places "A" in a vulnerable position with "C" without "A"'s knowledge of it. Because "A" is not aware of the situation "A" cannot take appropriate measures to minimise the risk.

If "A" knew of the transitive trust relationship with "C" then that trust relationship either changes into the normal trust relationship between "A" and "C" or the trust relationship between "A" and "B" changes to augment the risk "A" is taking. Either way the knowledge of the transitive trust changes the party trusting the trustee.

In short: transitive trust introduces unknown and unmanaged risk, forcing the vulnerable party in a known trust relationship into a trust relationship that is not known and with trust that is potentially misplaced.