510 %unikernels for e-voting

   511 Trust, trustworthiness, and the TCB

   512 

   513 The notion of trust is important in security. It is also a source of

   514 confusion, especially if people are sloppy in their terminology, and

   515 do not distinguish between trust and trustworthiness.

   516 

   517 Depending on your point of view, trust can be something good and

   518 desirable, or something bad and undesirable. Trust between parties is

   519 good in that it enables easy interaction and good collaboration

   520 between them. However, trust is bad in that trust in another party

   521 means that party can do damage to you, if it turns out not to be

   522 trustworthy. For example, if you give someone your bankcard and tell

   523 them your PIN code, you trust them; this can be useful, for instance

   524 if you want them to do some shopping for you, but is clearly also

   525 potentially dangerous.

   526 

   527 Note that if a party is not trustworthy, then it may be so

   528 unintentionally (because it is careless or, in the case of software,

   529 riddled with security vulnerabilities) or intentionally (because it is

   530 downright malicious).  When considering a system that is meant to meet

   531 some security objectives, it is important to consider which parts of

   532 that system are trusted in order to meet that objective. This called

   533 the Trusted Computing Base or TCB.  Ideally, the TCB should be as

   534 small as possible. The smaller the TCB, the less likely that it

   535 contains security vulnerabilities. (Still, you should never under-

   536 estimates people’s stupidity – or an attacker’s creativity – to

   537 introduce security vulnerabilities in even the smallest piece of

   538 software.) Also, the smaller the TCB, the less effort it takes to get

   539 some confidence that it is trustworthy, for example, in the case of

   540 software, by doing a code review or by performing some (penetration)

   541 testing.

   542 

   543