I used the following "definitions". Confidence is a belief that future events will occur in line with ones expectations, based on familiarity and prior experience. Trust means conferring responsibility to and relying on a person-like entity, where you place yourself in a vulnerable position.

According to my own perception trust and confidence are not same because the involvement of risk is higher in trust than confidence.

Both concepts refer to expecations which may lapse into disappointments. However, trust is the means by which someone achieves confidence in something. Trust establishes confidence. The other way to achieve confidence is through control. So, you will feel confident in your friend that he won't betray you if you trust him or/and if you control him.

Hello Michalis

I like very much the idea of control aproach of trust . Can you try to explain us a little bit more about trust as a control. Thanks.

Hi Victor,

Trust and control are two different things. For me control is the ability to force someone to perform a specific action. While trust is the positive expectation you have that someone will perform a specific action irrespective of your ability to control him. Both control and trust lead to confidence. For example, I have confidence that a restaurant waiter will be polite because if he is not polite I will complain to the manager and the waiter will be fired (Control). Or, It can be that I have confidence in the restaurant waiter because I just trust him because of previous experience or because of his good reputation (Trust). If you would like more information the following book is a good source regarding confidence, trust and control. http://books.google.co.uk/books?id=xRLqGKY8axwC&lpg=PA10&ots=xPCnv67aWX&dq=confidence%20trust%20control&pg=PA7#v=onepage&q=confidence%20trust%20control&f=false

The discussed problem is very "ancient". I have found an interesting paper on the topic "Trust vs Confidence". The author Barbara D. Adams writes that confidence judgement typically has a very specific referent, and is influenced by base rates and prior probabilities. A trust judgement has a broader scope and referent and is characterized by a specific lack of information, and by the need to take a “leap of faith” from what is known to what is unknown. Moreover, unlike confidence judgements (which can occur in many situation), trust is only an issue in the presence of risk, uncertainty, vulnerability and the need for interdependency with another person (Mayer et al., 1995). Without these situational antecedents, trust is not likely to come into play. In short, it is important to make a distinction between the concepts of trust and confidence. Hope that this paper will be interesting to you.

Another link is to the post http://thinkmarkets.wordpress.com/2009/02/08/on-confidence-andor-trust/.

good paper, Natalia

Confidence may be dependent much on self while trust may be dependant on others

Confidence is much dependent on self but trust may depend on others.

Confidence is a subjective probability in an events occurrence. Trust is a reason for belief in an events occurrence, just as is 'Power ' (also referred to as "control") over an event, 'Objective Evidence', e.g. conformity to physical laws, or 'Self Interest' (i.e. an individual will perform an event because it is in their, not your, interest to do so.

There is a fairly long history to 'what is trust?'. If you can say a little more about why you are interested in the questionI I may be able to point out a few relevant papers. My own thesis has a fairly comprehensive survey and can be downloaded from researchgate if you want to wade in :-) (I only suggest the survey chapter).

I have published a conf. paper about the meaning of confidence in my research field. Maybe it would be interesting for you or you could provide interesting comments about it.

Conference Paper Confidence: Dependencies and their critical role in fosterin...

I have a folllow up question: What is the difference between having confidence in a physician and trusting this physician? Perhaps if someone could help me translate these concepts into French I would very much appreciate.

Hello Lynda

Je vais essayer de vous aider. Trust and Confidence en Français sont traduis tout les deux pour Confiance presque comme en Portugais. Mais en anglais, il ya une petite différence. Confidence c'est le sentiment de croire à quelqu'un ou quelque chose et Trust c'est la croyance dans la fiabilité de quelqu'un ou quelque chose.

Hi Lynda, Victor,

First I must apologise for not being able to write this in French. Perhaps Victor might oblige with any necessary clarification?

The problem with discussing the term “trust” in English is that English is an imprecise language and for trust, as with many words, the exact meaning is context dependent.

However I think there are some legitimate generalisations that may be made. Generally trust has two elements, a belief that someone has the intention of doing something and the belief that someone has the competence to do something. If the person fails because of a failure of intention, we say that have betrayed the trust we placed in them. If they fail due to lack of competence we say that have failed us but rarely that they have betrayed us. When we speak of confidence in someone I believe it is usually the case that we are dealing with competence rather than intention.

So to take the concrete example: I have confidence in my physician means that I believe they are competent to perform the task of a physician. To say I trust my physician means that I believe they have the intention of performing well towards me and that they are competent to do so. Both confidence and trust may be misplaced. If my confidence is misplaced if my physician fails me due to lack of competence. My test is misplaced if either my physician betrays me (i.e. Intentionally does me harm) or fails me due to a lack of competence.

O.K. so all this is arguable and may be considered “hair splitting”. The important issue is that there are two different beliefs about people, belief in intention and belief in competence, and we need to consider both when we talk about “ reliance on others”.

Thank you Will  for your valuable contribution. I translate your concrete example:

Je fais confiance (confidence) à mon médecin signifie que je crois qu'il est compétent pour exercer les fonctions d'un médecin. Pour dire que je fais confiance (trust) à mon médecin signifie que je crois qu'il a l'intention d'accomplir bien vers moi et qu'il est compétent pour le faire. Tant la confidence comme la trust peut être déplacées. Si ma confiance (confidence) est mal placée mon médecin m'a échoue en raison d'un manque de compétence. Ma confiance (trust) est déplacée si mon médecin me trahit ( faits mal a moi intentionnellement) ou échoue moi en raison d'un manque de compétence. Quelle est la différence entre la confiance (confidence) et la confiance (trust)?

 Will Harwood, thank you for your answer. I am writing a paper about "Trust and Places"  / supporting knowledge co-creation so I have recently studied the issue and I found your answer to be clear and thorough. If Ms Seco (or someone else, since the question is quite old) want to have something to refer to, here are some:

 "Probing the Links Between Trustworthiness, Trust, and Emotion: Evidence From Four Survey Experiments / Blaine G. Robbins"

"An Integrative Model of Organizational Trust" / Mayer et al

if we use the two terms trust or confidence in quality of service provided by public sector organizations or institutions to their citizen, does it make any difference in the deep meaning? I can see that the only difference is confidence comes after series of experience(evidences) but trust is just intention.

however we can consider trust is an overall goal/aim and confidence is smart objective that can be measured by evidence based on past experiences and competencies. for example we can or not build trust in police office without confidence

Victor Manuel Monteiro Seco : Trust does not exist in Portuguese, or Korean, for example. It is not equal to confidence, or confiança.

Where trust exists linguistically, it is contrary and in distinction to confidence or authorization in a network, which requires a source, trust does not use authority. There are multiple ways of knowing, and none is fundamental. Some languages do not have this concept. It is missing in the social computation. So, first ask, is there a word for trust in one's native languages, experience, in all sources one cites, or is it somehow overloaded with confidence?

This is important, for example, in computer protocols, to defend against MITM, and in finer use. Some countries do not have it, though, originally. This happens in other areas, where Russians can see more colors than Americans, because they name them in a more comprehensive system, it is not the DNA.

In Portuguese, for example, and Latin languages in general, there is no word for trust. Portuguese speaking people only use and hear about confiança, which is confidence. But confidence requires a source, and does not represent trust as a social concept.

Curiously, those societies have difficulties developing that missing linguistic concept in their collective structures, for example, requiring a Pope in their religious expression, when, actually none is required, as many organizations show. There would be further consequences, in the social and political domains. Finding the "head" of a movement can also be used repressively, and is detrimental.

Ed GercK

Very interesting and deep approach. As you refer to trust we can consider it like an oxymoron. Didn't you?

Victor: Thanks. No, trust != confidence. You have to rely on English for the meaning of trust. Not confiança.

It seems possible that the relationship between language and mental constructs is not necessarily so straightforward. We cannot assume there is one word for every mental construct. For example, in a language which contains only a word for confidence and no word for trust, is the word for confidence used in qualified ways that allow the same distinction as exists in English between trust and confidence?

Will: Thanks. It was not assumed what you are concerned about, and was mentioned that trust could be "somehow overloaded with confidence" -- even in English, which has two words.

Certainly, the lack of a word, trust, does not help. See the ethnicity of incorrect answers in this forum. But that is not only here, the distinction is, more often than not, not used even in native English. The everyday use in English is to overload, it just gets a better chance not to. The social and security importance continue.

Ed: I hope you can clarify something for me about your MiTM reference. I do not see the point of your reference to Man-In-The-Middle (MITM) attacks in relation to the discussion of trust and authority. The basic defense against MITM is to hold appropriate keys that allow a participant to authenticate the other party. Obtaining such keys may either be done by an out of band exchange with the other party e.g. meet up in a coffee shop and swap keys with one another, in which case one is transferring already established trust from the social domain to the digital domain, or by use of a third party known to both participants to distribute keys. But, the problem of trust is now transferred to the interaction of the participants with third party. Each participant must have already established trust with the third party. If they wish to interact with the third party electronically for key distribution they must transfer trust from the social domain to the digital domain - a process the ultimately bottoms out in meeting up and exchanging keys.

I am not denying that you can use a third party as a key distribution point or “trust authority”, but it’s rather saying that any trust in it flows from a pre-established trust relation that is based ultimately on direct trust relationships between individuals that do not themselves rely on a third party authority.

Will: "Mitm attacks are hard to handle, as well as spoofing, but it is very hard to coordinate these attacks on more than two channels at the same time. The reasoning is like the calculation of error-correcting codes: you add redundancy and you improve reliability. For example, if one channel is Web directly off a cable-modem and the other is a fax, the two use entirely different communication channels that must agree on end results."

Confidence (CA) does not solve it, trust does. Today, people use modem and phone text, as the two channels.

See the rest of the discussion and more at RG, I will post the URL soon.

Will and all: Search MITM in https://www.researchgate.net/publication/325907937_The_MCG-THREADS

Ed: Sorry that really didn’t answer the question. MITM attacks are handled by authentication of the parties involved - your discussion seems to be about how the parties obtain the information required for the authentication. This information may be a shared secret or may be public key. Ultimately however it must be obtained from a trusted source, either directly or via a sequence of interactions with third parties. The particular protocols and infrastructures used make very little difference to the need for the underlying trust relations and how they are transferredbetween the real world and digital domain. Any notion of authority over a trust flows from a pre-established trust. Adding redundancy, using different channels (out of band communications in the parelence), etc, may make interception more difficult but does solve the problem. Also referring to your essay, it is impossible to say things like the probability of spoofing is reduced to 1% without the assumption of independence between attacks on channels - in dealing with “security“ as opposed to ”accidents” the independence assumption is invalid.

None of this seems to help in drawing a]a distinction between trust and confidence. Neither trust nor confidence needs to follow from authority. And equally we may say that either may be given ‘Blindly’ or be based on evidence.

Will: That exactly answered the question of MITM. There is no other answer, literally.

Ed: I find your answer too telegraphic to undertsand - what exactly answered the question - your comment or my reply?

Perhaps for clarity you would care to explain your views with on to man in the middle attacks and trust with respect to a mutually authenticate RSA exchange were the two participants have met up and exchanged public keys at a cafe before exchanging messages digitally?

Will: Clearly, my reply. Funny you ask.

Reflections upon the significance of Russian colour discrimination and trust.

Above Ed Gerk refers to experiments in Russian colour perception as indirectly supporting evidence for his suggestion that language is a significant factor in determining the relationship between trust and confidence. The suggestion seems to be that lack of the linguistic category for trust might reflect a lack of the conceptual capability to recognise, or engage with, trust. The corresponding idea for colour perception would be the lack of a linguistic category reflects the lack of a perceptual capability. The experiments in Russian speakers vs American English speakers colour distinction however point to a slightly different result. Whilst Russian speakers do verbally distinguish between light and dark blue more readily than English speakers this ability is not perceptual in origin i.e. when given the task when the verbal processing capabilities are engaged with outer activities, such as spatial delimitation of colour boundaries whilst memorising a sequence of digits, the two groups perform equally well. The conclusion then is that the distinction is not perceptual but verbal in nature. Indeed both languages have extensive non basic colour terminology for which there is no suggestion of perceptual distinction being present.

In essence what is being proposed is the Sapir-Whorf hypothesis applies to trust and confidence with the existence of particular terms within a language determining the conceptual; framework of the individual. However this must be contrasted with the notion of the ‘social construction reality’ and in particular that social reality is responsible for the emergence of linguistic categories. And so we are faced with the classic chicken and egg problem. The evolutionary approach to such chicken and egg problems is to say there is a positive feedback which once started, say by the social construction of categories, it becomes self re-enforcing until a ‘mutation’ changes the dynamics. In the world of colour descriptions in Russian this happens, for example, when the distinction of “purple” was introduced into Russian in the 18th century. Had Russians been unable to ‘see’ purple the distinction could not work, but adding the distinction changed verbal behaviour.

With trust and confidence we might consider a similar issue. It is possible in some societies that the non-existence of a term for trust reflects the nature of the society (social construction hypothesis) but does not reflect the non-existence of the concept of trust in that society, just its current lack of utility. In such cases we might hypothesise an increase in utility of the notion of trust should be accompanied by the import of a term for trust into the language.

This might be an interesting avenue of experimental investigation.

Above, Will Harwood. writes, "The corresponding idea for colour perception would be the lack of a linguistic category reflects the lack of a perceptual capability."

This is the beginning of a fallacy. The correspondind idea is different, as we shall show, but that author, teleologically, chooses a path of dissent.

This has now become a recognizable as a pattern in other dialogues by that author in RG, in several topics. The same applies to other authors in RG, such as in the school of dialectics , and especially physicists are trained to not use it, so in that spirit, of avoiding a common illness that can affect us all, let us dissect it. Here, we are always criticising the theory and not the person. No ad hominem attack is to be construed from these words.

The error is in the last part of the author's text, as quoted above. The author wrote, "...reflects the lack of a perceptual capability." But that was not said in previous posts that tha author is criticizing, by myself. Actually, the opposite notion is explictly voiced.

This is an unforced error, with a pattern, but made into a lengthy post full of right ideas, properly copy and pasted as it cites, but on the wrong start, the conflict.

The lack of a perceptual capability is denied in my previous communications, when I wrote that is not in the DNA. But, that is why the posting by Will Harwood, appearing to be a dissent, is actually a confirmation of our group studies.

For more than 20 years, our group, MCG, MCWG, PKIX, X,509, PGP, NSI, E-CARM, and many participants in almost all countries, with hundreds and thousands of our discussions on this very theme available online, and books we wrote, created (not copied) by many individuals, and available for copy and paste by anyone with online access or libray card, which access we conceptually and physically helped create when we took the Internet public on purpose, in expecting widely the trust we saw as possible in the confidence of the ARPANET, work that is unplagiarizable by its very density and coherence and variety, incapable to be misinterpreted by any rational observer.

Ours is a contribution asking to be toppled, as any human creation, as time goes by, but parts remain, not contradicted by polimicists or unreality -- the Internet exists as a consequence of the reality of trust, not, and in spite of, confidence. If confidence were followed, the Internet would not exist. See the references, they are online, the online we helped exist.

It is in the archives, read the Internet manual, talk to the Internet staff, and you will see that they do not literally exist, that is good, and it works.

Trust is an unpremeditated result, is not a perceptual quality, is qua proprioception to perception, but it is a collective effect, a social computation (whereas proprioception is individual). It is not an organ like the eye that sees colors. It is not in the DNA, as I first said, no polemic possible. It is radically different from confidence, although often confused, not by any imagined lack of perception, but by lack of social training.

Polemicits are capable of writing about any theme, and the basic technique is the same. Find a point of supposed controversy (such as, what an otherwise clear phrase says, such as Will Harwood writes previously, ".. what exactly answered the question - your comment or my reply?") and use that as the opening, now created, and create a second point to continue, a teleological choice to dissent, as evidenced in "...reflects the lack of a perceptual capability."

This is a notable behavior, in the due sense, but not original. Politicians learn this and other techniques, as well as debate teams in high school, where quarrel is confused with discussion, and discussion is confused with argumentation. It is in the books,and the examples.

This behavior is not, however, a winning strategy. Life is school. It has the terms of its own undoing, as being the actual confirmation of false dissent, as above, and in Will Hartwood echoing the discredited theory of Lamarck, in that that people whose work involves colour distinctions on a dally basis might develop a genetic change. Simply, Lamarck was wrong in that case, that does not change the DNA.

Lamarck's discredited theory of heredity, the "inheritance of acquired traits", may find a modern expression in epigenetics, which then can indirectly affect genetics. But that has nothing to do with the topic on trust.

Teleology is, itself, a fallacious argument, avoided in physics and other professional areas, but often used (perhaps, without noticing) by laypeople (who also confuse tele-ology with the-ology, such as in Wikipedia, but have different prefixes in Greek) . Will Harwood, once again, proved it.

In reply to Ed Gerk;

The statement made by Ed Gerk is "This happens in other areas, where Russians can see more colors than Americans, because they name them in a more comprehensive system, it is not the DNA." The response is that Russian speakers can name certain colour distinctions faster but do not see more colour distinctions.

The use of the term "not in their DNA" does not actually address this distinction in that it assumes that perceptual capabilities are the result of genetics and not of environment or learning, which at least could be the case in principle. For example one might anticipate that peoples whose work involves colour distinctions on a dally basis might develop more acute perceptions of such distinctions i.e, the eye may become trained in the same way as the ear may become trained in regards to pitch. I admit this is speculation but is a distinct possibility.

To re-iterate the significance for the discussion of trust lest in becomes lost in the above rhetoric - lack of linguistic categories does not necessarily corresponding to lack of conceptual categories and may simply reflect a lack of utility in a given society.

This thread is speaking of a conceptual, not perceptual, effect, certainly not an organ.

Conflating trust with eyesight, and even the processing of colors as an imagined reality, where no one in their DNA sees more than Red-Green-Blue, as no one actually sees yellow in their DNA. It is in the genetics and not of environment or learning.

For example, albeit with very few mutations in DNA, such as a California artist with an extra receptor in the DNA, for extra colors she can paint, objectively, isolated, no social language to learn, no individual learning , no environment, no nurture polemic possible (they just CANNOT be the case, even in principle) -- will take us far?

Yes, certainly will show the old, long, road of discussion. The expressive need is very deep, lies below the conscious level, but others can see. Hopefully, it can lead to a better understanding, if the rules of discussion, not polemic, are obeyed.

As another example, provided in normal text by Will Hartwood, and coorrect here in bold text, one must NOT anticipate in terms of the DNA discussion that peoples whose work involves colour distinctions on a dally basis might develop ... Simply, Lamarck was wrong in that case, that does not change the DNA.

Rather than even a speculation, it is a false possibility in terms of the DNA discussion. Lamarck's discredited theory of heredity, the "inheritance of acquired traits", may find a modern expression in epigenetics, which then can indirectly affect genetics. But that has nothing to do with the topic on trust.

As we said many times before, it is online, mapping many cases worldwide, trust is the counterpart of power. When facing more power, one needs to trust more, not less. Therefore, there is NO lack of utility of trust, in any given society.

By distinguishing trust from confidence, we might be breaking free ourselves and others. Let us not choose a contrarian view, teleologically, just to create space for a fruitless dissent. Linguistically, that might be the greatest contribution, to teach a new language to a tired, polemic, conflicted, psychotic reality -- while the solutions require collective effects.

However, in philosophy, which is what this essentially is about, we should always criticise the theory and not the person.  In undergraduate philosophy tutorials, especially in debates about applied philosophy, we have to discuss contentious issues like abortion, animal rights, and nuclear weapons.  

We should strive to do that dispassionately, with philosophical objectivity, and without taking offence or attacking other people, even if we’d be shocked by the views they’re stating in the context of ordinary life.

There’s no other way to do philosophy.  If we want to think rationally ourselves, we have to focus on the evidence for and against what people say, and forego criticism of the other person’s character.  

in https://www.researchgate.net/deref/https%3A%2F%2Fdonaldrobertson.name%2F2016%2F12%2F24%2Fad-hominem-arguments-and-the-principle-of-charity%2F

to finish off on MITM and its relevance to trust

Above I asked a question of Ed Gerk about his ideas on Trust and man-in-the-middle attacks in a mutually authenticate RSA exchange. From the last response I saw fro Ed I don’t think it will attract an answer, so I will provide one in case anybody is interested in why the question was asked.

In computing we recognise the distinction between risk management and trust management. Risk management is about containment and bounding of accidental failures. Trust management is about the maintenance of pre-existing trust relations in the digital domain. So for example in dealing with man in the middle attacks we may choose to handle the risk of an attack and try and minimise the probability of an attack or the damage an attack may do, or we may choose to maintain a pre-existing trust relation in such a manner that, given appropriate pre-requisites an attack cannot successfully occur. The first approach is risk management the second trust management. Trust management depends on mechanisms that allow a pre-existing trust relation to be taken into the digital domain and this effectively means a secure method of mutually sharing key information is the basis of bootstrapping the trust into the digital domain. Moreover if there is no pre-existing trust relationship, or that pre-existing relationship has been compromised before bootstrapping to the digital domain than there can be no trust in the digital domain.

Thus for example in the case of mutually authenticate RSA exchange if the parties involved have securely exchanged keys over a private channel e.g. meeting in privately and exchanging keys in a manner that cannot be intercepted then bootstrapping trust is straightforward (at least in principle, practice is another matter!). The bootstrapping will allow the parties to know that they are talking to who the intended parties and the messages have not be altered and kept private from other parties. Of course it is possible for the communication to be disrupted by a denial of service attack so that the parties are prevented from communicating, but if they can communicate they have the guarantees mentioned.

If however they were to exchange keys over, say, multiple public channels, in the hope that attackers would not intercept the keys they would be engaged in risk management. And in this case, ineffective risk management, as it is predicated upon attackers not intercepting all the channels involved. Such an assumption works for accidental information exposure or corruption of information on channels. We may assume that accidents are correlated between channels and if one channel is in some way compromised the other channels are not, or that the probability that all channels are compromised is sufficiently low as to be ignored. However in the case of an intentional attacker we cannot make such an assumption. If all channels are public, intentionally so or not, then we must assume an attacker can and will compromise them all to carry out the attack. The probability of secure key exchange becomes either 0, if there is no attacker, or 1 if there is an attacker.

Now it is my understanding of Ed’s essay (see his link) that this latter approach is what he advocates. And, if indeed it is, in seems not to add to the understanding of trust because it is addressing the wrong issue.

In reply to Rhetoric:

I would hate for anyone to think I am a Lamarckian! I suggest only that people may aquire an ability by training, not that there DNA is altered or the changes inherited! (Perhaps phrases like ‘training the eye‘ and ‘training the ear‘ don’t translate well into other languages.)

Will: It was answered by yous truly. It is online. No other answer is possible, and wrote that to you. It results from No one can prove the absence of a covert channel. It is a theorem. It is verified. It is solved by trust, in the linguistic way -- it is the only solution, and, remember, do not trust the machines! Look for Reflections on Trusting Trust, by Ken Thompson.

That can be a MITM. We use it all the time in cybersecurity and, perhaps surprisingly, in physics and maths. Please stop the false controversies. Only the wolves fall in traps for wolves.

A trap for wolves is not, and also not in copy and paste from Wikipedia or Stanford, what RG iintended to support.

The old translator motto applies, "Traduttore, traditore" - best said in Italian, meaning "translator, traitor" . Different languages, like Portuguese and Korean, do not have a word for trust, and it is not the same to use confiança in Portuguese, for example.

Conversely, Portuguese has a word in saudade, that English cannot grasp. Maybe Portuguese speakers find a comparison there, for what they miss in trust. Every language we studied, has similar cases, and justifies neologisms. Let us have saudade of conversation, if you know what I mean.

Ed Gerck: you have an interesting way of deflecting and not answering questions directly. One might almost say your approach is polemical.

But as the possibilities of a mathematical theorem proving “No one can prove the absence of a covert channel ” is of interest to me, I will bite -where is it published and what definition of covert channel does it use? Lampson‘s on original or a later one such as Grusho’s?

Saudade doesn't translate to English in all meanings of it, in German could be Sehnsucht, as "longing", "suffering in silence like a tooth ache, but touching to feel it hurting when it stops", "yearning", or "craving" , thoughts and feelings about all facets of life (not just imperfect or faulty), and more. Very important in physics, describing a hidden variable very well.

Trust could not be confiança, because it is not exact, and cannot be exact, and it would leave a saudade of the meaning that is not there. If the saudade is not zero, there is something missing in the longing, in the Sehnsucht.

Will: You would catch more bees with a drop of goodwill than with a liter of vinegar. Imagining, by the charity principle of avoiding ad hominem attacks, a drop of goodwill in your words, it does not matter if not there, what can I say?

That theorem is mine and not public, it is still sensitive. That is not a problem, you can try to derive it -- knowing that it exists, is one more motivation, you are not looking for a fantasy.

Now, you can also look for applications of it, that show you it must be true, even though you cannot prove it.

Some results are just like that in theoretical computer science (that was a hint, of the area). Submarine cable sea coupling can breach all communications undetected. Available since 20 years ago. See Snowden files. Now, it is implemented in chips already.

And this connects to the theme of this thread, the difference between trust and confidence.

I follow answers

regards

The first is judged by others whereas the second is personal .

Ed: without the definition of covert channel that you are using trying to derive the theorem would be a pontlless acitivity. If you have a proof publish it. After all lots of people will be interested and there should be no difficulty in getting fst track publication e.g. in information processing letters, or so either quality reviewed journal.

Wil: As I wrote, it is too sensitive to make it public, and I would use preprint publishing before, as a simple matter of copy and paste. We prefer this way today, anyway, for speed in getting the results out. Have you used that process?

Ed: a pre-print route might get material out faster but today there are many online journals with fast turn around and conventional periodical that have online pre-print of reviewed material so that things get out quickly. I don’t know what experience you have had in publishing in the security community previously but I would suggest that since the theorem is quite significant in its claims that a reviews publication approach would be better.

As you suggested that I try proving the theorem myself I did devote a little thought to it yesterday day and came up with the following. It is based on the Lampson unintended channel notion of a covert channel and probably differs from your theorem. This is very much outline notes but I think the idea of the proofs involved are clear enough for an informal discussion.

We will consider a system Sys with no input channels and a set output channels Ch. The set Ch can be divided into intended channels (Ch_i) and unintended channels (Ch_u). Whatever output behaviour takes place on intended channels can be ignored, these are by definition not covert channels. To understand this division consider a system that outputs messages a sequence o messages. Each message is an intended transmission, however the timing between emissions of messages may be an unintended channel of communication. So in this framework the messages are regarded as coming over an intended channel and the timing information is regarded as coming over an unintended channel.

Black box case: If we look at Sys as a black box then we can see trivially that if Ch_u is empty or the outputs associated with each c in Ch_u is a deterministic function of time (f_c(t)) then there is no covert information flow (obvious since the output f_c is entirely determined and predicable). If on the other hand we have even a single channel in Ch_u that is a stochastic function of time then we cannot determine whether or not there is a covert channel (proof either apply Grusho et. al. Covert Channel Invisibility theorem, or consider the following simple case: the channel x is used for sending data from Sys by using a one-time-pad cipher with the pad being a true random pad. Output on x are indistinguishable from noise to anyone who does not possess a copy of the pad, so no black box observer without a copy of the pad can determine the information leakage even if they know the all data that could potentially be leaked).

White Box case: if we construct a system Sys then we can guarantee the absence of covert channels, even if there are unintended channels with stochastic outputs. If there are no unintended channels with stochastic outputs there is nothing to do. If there are unintended channels with stochastic outputs then we have a choice of treatment of them. We may either (a) reduce them to constant outputs, or deterministic functions of time, by use of passive means or active negative feedback. Or we may combine their outputs with a true random noise source to remove the ability to extract information from them.

So full statement of a ‘no covert channel theorem’: if a system has at least one unintended output that is a stochastic function of time then we cannot determine by black box observation whether or not a covert channel exists. However, we can always construct a system with the same intended behaviour which provably has no covert channels.

Of course this is only a sketch and I am not claiming in anyway that this is a theorem with a finished proof - do not trust proofs until you see them and not even then until you understand them!

Ed: sorry i didn’t answer ‘have I used this process’. I haven’t although colleagues have. The problems they have reported is that the material doesn’t necessarily get indexed appropriately and is lost in the noise, it can jepodise full publication in certain journals or conferences and, from the purely academic point of view may not count to publications as they are not reviewed.

Wil: You wrote, "we can always construct a system with the same intended behaviour which provably has no covert channels." This is incorrect. Hope this helps.

Ed: I have outlined the proof of the assertion, so please either find the fault in the arguemt, give the counter example, or state your theorem and give your proof. simply making assertions is not an adequate response.

Moreover looking at the versiin of the theorem I have outlined in the light of what you have said about the content of your theoreom I.e. that it was impossible to show the non-existence of covert channels to be true, you would have to show that for all systems the equivalent covert channel free system cannot be constructed. That is to say your theorem will fail if just one counter example can be found. So even ia weaker theoreom to the effect taht it is sometimes possible to construct an equilvalent system would present difficulties for your theorem.

All: my apologies for teh some what esoteric exchange about covert channels and proofs on a discussion about trust and confidence. However I think this is a good place to pull the discussion back to topic. What is the role of proof in discussions about trust and confidence? Can you ‘trust a proof’, can you have ‘confidence‘ in a proof? Or ar such discussions of proof and confidence in proofs really just proxies for talking about the people supplying the proofs?

The situation in formal logic is straightforward. A proof is a definite object, taht must follow certain rules and, if adequately formalised, can be checked by people or by machines without knowledge of the content of what is being proved. In such cases the existence of a proof replaces the need for trust and ones feeling of confidence should either be zero or total depending on whether or not the proof checks out.

However, in everyday mathematics proofs are not so rigorousely formalised and it is common for proofs to involve steps that require significant levels of knowledge and insight. In these latter cases, unless you possess thes expertise, to trust a proof or have confidence in it, is at least in part to trust, or have confidence in, the people who provide and/or vouch for the proof.

This discussiin can be extended to ‘trust/confidence in computers’ (considered as hardware) and ‘trust/confidence in software’ (I.e. what runs on computers). Both hardware and software can be regarded as logical constructions, whose behaviour can be specified and taht can be developed constructively to guarantee the specified behaviour is what they actually perform. Producing systems in this way is not easy and requires skills and expertise that is not common in teh computer industry but yet does exist and consequently most systems are not developed using such approaches. So again the question arises what does in mean to have trust or confidence in a comput system? In principle we could be given a proof of a systems behaviour but understanding the system specifications and proofs is far beyond the capabilities of must system users. So where can confidence come from?

http://cradpdf.drdc-rddc.gc.ca/PDFS/unc48/p524541.pdf

Thanks Helena.

Good work for you.