Issues and Mechanisms for Trustworthy Systems: Creating Transparent Mistrust

Traditionally, security in distributed systems is viewed as an “extra” that comes only at the expense of convenience, performance, or functionality. Security mechanisms are often provided only at the highest levels of abstraction, and are poorly integrated into whole systems. Consequently, comprehensive security is rarely available except in the most critical applications, where threats are deemed serious enough to warrant the development of special‐purpose protection mechanisms. This paper introduces the concept of “transparent mistrust,” an approach that includes security as an underlying part of distributed system interfaces and services. Transparent mistrust relies on security mechanisms that minimize trust in system components without incurring costs commonly associated with security. The scalable mistrust mechanisms described in this paper support a wide range of trust models and security policies in communications networks, file systems, and distributed services. © 1994 AT&T Technical Journal

Duke Scholars

Author Michael Reiter Computer Science