Schrödinger asks, if you put security in a box, were you secure before you opened the box?
I love it when I get to disagree with the luminaries – and they don’t come much more luminous than Bruce Schneier. But to the point… He was interviewed about ‘trust’ by The Browser, and posts the outcome on his own site here: Liars and Outliers: Interview on The Browser.
“Security exists to facilitate trust,” he says. “Trust is the goal, and security is how we enable it.”
I don’t see it. Trust is an intangible: it can be neither seen, nor touched nor measured. It is unquantifiable – it can only be felt in a subjective, relative manner. But if we cannot measure it, we cannot prove whether we have it or not. So if Schneier is right, the purpose of security is to provide belief in something we cannot prove – it is to persuade us that we have something that we may or may not have. If the purpose of security is ultimately unprovable, it is ultimately meaningless: its only effect is to give us a belief in something that may or may not, like Schrödinger’s cat, actually have legs.
I see Schneier’s relationship between security and trust more like the relationship between preachers and God: the preachers are there to try to prove the unprovable – the existence of God. Many of us believe in God just like many of us have trust. That doesn’t mean that either is valid. Ultimately, trust provided by security is just as much a blind unprovable leap of faith as is belief in God provided by preachers. Personally, I am atheist: I don’t believe the preachers. And I don’t trust, because security is a circular argument signifying nothing.