As Ross Anderson noted in Security Engineering, the use of the bulla in the manner we’ve just described embodies several of the characteristics of security that we discussed in Chapter 3. Specifically, it entails the characteristics of privacy, authentication, information integrity and non-repudiation. Privacy is achieved in conveying the contents of the bulla from the flock owner to the buyer without the shepherd, who is the courier, being specifically aware of the contents. More important, he is unable to alter the contents without the buyer being made aware of it because the bulla is a tamper-resistant and tamper-evident mechanism. Authentication of the identity of the flock owner is conveyed to the buyer through the seal imprinted on the bulla. The sacred symbols establish a source for confidence in the authentication, and a threat against tampering, which might unleash the wrath of gods. The integrity of the information contained in the bulla is established through the unbroken form of the clay pocket. The seal on the bulla also acts as an indicator of non-repudiation that the bulla came from the flock owner. Since ostensibly only the flock owner can produce this seal, he cannot claim that he was not the sender; again, under the threat of sacred intervention. The only one of the security characteristics that we discussed in Chapter 3 that is not established by the bulla is that of authorization. In essence, anyone who came in possession of the bulla could open it. Consequently, the mechanism can not be said to encompass any technique to keep the incorrect person from receiving the message. The assertion of authority to open the bulla is conveyed through social convention external to the mechanism itself. Thus, if a person other than the addressee of the bulla opens it, then that person may be subject to the condemnation of the social (religious) system, and subject to sanctions from that system. The protocol could have actually been more elaborate. Perhaps the receiver was required to send another bulla in return, thereby validating both identity and the amount paid. In any case, we should note that the whole mechanism comprises a vehicle of trust conveyance. Thus, it is an implementation of a trust conveying architecture.

As illustrated in the use of the bulla, but also of paramount importance in other trust architectures, secrets are indelibly linked to the establishment and conveyance of trust. From the earliest times, the establishment of guarded walls to cities or camps has made use of secret passwords to gain passage through the perimeter. In Chapter 5, we discussed in some detail the concept of authentication protocols used to verify the asserted identity of one party, a supplicant, to another party, a sentinel. The model for such interactions is exactly that of provision of a password to a sentry guarding an entry portal to a city or camp. If two parties share a secret, then one can provide the secret to the other in order to establish identity; in this case, the fact that the two parties are in fact friends. However, what happens when there are many persons on patrol outside the perimeter? Does not the fact that each of them must approach the sentinel and provide the password provide significant opportunity for a threat to overhear the password and thereby pass for a friend? This is the problem with establishing and conveying trust through shared secrets; the creation and distribution of the secrets in a trusted fashion in the first place. There are mechanisms for dealing with this dissemination problem, and we’ll get to them later. For the moment, let us consider another significant architecture of trust within large scale systems.

The bulla that we noted above makes use of the conveyance of information in secret as a means of also conveying trust. The clay enclosure, while establishing secrecy of the contained information, also presents an environment of trust through the physical security of the enclosed tokens. This concept of physical security can be taken to much greater extremes and provide us with the safe or vault as a means of establishing trust. A bank, for instance, is a trusted place for storing valuables; money, jewels and the like. A safe or vault is an enclosure that is difficult to access due to its physical construction. Perhaps its walls are made of thick steel or reinforced concrete and its door is impervious steel with a locking mechanism. Thus, when something is placed within the enclosure, we have a clear understanding of the necessary causality for a change to occur in that

Book available at Midori Press (regular)
Book available at Midori Press (signed)
Book available at Amazon (regular)