This is a happy Friday afternoon rant.

I am still following the headlines for Sun (as long as that is still possible), and today I found some interesting headline: "Oracle Should Spin/Sell Sun Hardware Unit, Analyst Says". Well, interesting enough, I open the article, expecting some deep insight into what is going on. Unfortunately, the full report was not available, but the blog did mention the $23 dollar target set by the analyst, and that he would not know who might be interested in buying the Sun hardware business from Oracle.

Wow, impressive. Unless there is a lot of interesting detail in that research report (which is not available on AmTech's website), this is completely trivial: yeah, Oracle holding on to Sun's hardware business seems illogical from the outside. Good thing we have an analyst telling the world that. And Oracle will soon be at $23? I would neve have guessed that, given that they are currently at about $20, the market is pointing upward, and there is a good chance that the market will see the completion of the aquisition some time in the summer as something positive.

I think that I should consider a second career as software industry analyst: Money for nothing and the chicks for free...

Trust is one of those concepts in IdM that are hard to define or measure, yet are at the basis of most of our transactions. There are a few different ways to look at trust or capture its essence, including reputation systems, assurance frameworks, and similar solutions. At the end of the day, however, it most often comes down to this:

Basic law of trust (BLT): Alice will only trust Bob in a transaction, if the benefits outweigh the perceived risk plus her personal margin of safety.

Sometimes there are situations where we MUST trust another party (through legal requirements or lack of other options), but these can be seen as special cases.  

Now, applying the BLT, one has to manage both parts of the equation: risk (including the safety margin) and benefits. The benefits can be rather manifold, and cover all aspects of internet usage: services, purchases, personal enjoyment.

The risk on the other side can also fall into different categories: financial, reputation, legal, etc. In many cases the financial risks are most prominent: for example, when I buy some book on the internet, how can I be assured that (i) I really get the book, and (ii) my financial and personal information (shipping address) is safe and not misused. Obviously, I do have to trust the retailer and his ecosystem of partners (payment provider, shipping company, etc.) to perform the requested services to my satisfaction.

Reputation of the retailer does play a critical role: if I personally know people that had a good shopping experience at the retailer, and in addition know that there are (apparently?!) many good review by people I do not know, I am tempted to assume that the risk is not too big. At the end of the day however, it really comes down to this:

Financial trust - sue and collect: Alice will only trust Bob, if - in case something goes wrong - Alice has legal recourse and can expect Bob being able to pay sufficient damages.

I am not 100% sure if this is really at the foundation of trust in commercial transactions, but it seems to be at least one important factor. Obviously this is not a very optimistic point of view, hence the title of the blog entry.

Ok, fair enough - I give up: now on Twitter: @beuchelt. Big question: what are people using to keep up with Twitter? Right now I got the MicroBlog plugin for Pidgin, but I am not 100% sure if I like it.

When I read Larry Seltzer's piece on H.R. S 773 IS, I fell into a constant nod about the issues he raised. In addition, I have two more:

SEC. 11 (a): Lofty goals, but these seem rather obvious, since they have been at the heart of any computer security research for a rather long time.

SEC. 14: This sections empowers the Secretary of Commerce with very far reaching powers, especially since 'critical infrastructure' is so woefully underspecified.

In general, I am very unhappy with the bill's vagueness and lack of definition, especially since there are enough provisions (such as SEC. 17 - see Larry's comments) that can significantly impact the civil liberties of all U.S. persons. The intent of the bill seems honest enough, but in order for this to not backfire, a lot more work needs to go into a more robust draft.