Trust, but verify
Posted by metaphorical on 22 January 2007
The question has come up whether the phrase “trust but verify” is meaningless, and if it’s meaningful (which I think it is), what it’s meaning is.
We must keep up our guard, but we must also continue to work together to lessen and eliminate tension and mistrust. My view is that President Gorbachev is different from previous Soviet leaders. I think he knows some of the things wrong with his society and is trying to fix them. We wish him well. And we’ll continue to work to make sure that the Soviet Union that eventually emerges from this process is a less threatening one. What it all boils down to is this. I want the new closeness to continue. And it will, as long as we make it clear that we will continue to act in a certain way as long as they continue to act in a helpful manner. If and when they don’t, at first pull your punches. If they persist, pull the plug. It’s still trust but verify. It’s still play, but cut the cards. It’s still watch closely. And don’t be afraid to see what you see.
A little earlier in history, Oliver Cromwell is alleged to have said,
While preparing to cross a river to attack the enemy one day, Oliver Cromwell stopped and turned to address his troops. “Put your trust in God,” he famously declared, “but mind you, keep your powder dry.”
Finally, to judge from the Google results, the phrase has become common in computer security circles.
This paper introduces a trust-but-verify framework for web services authorization, and provides an implementation example. In the trust-but-verify framework, each web service maintains authorization policies. In addition, there is a global set of “trust transformation” rules, each of which has an associated transformation condition.
If I understand it (not so very likely), the problem is that a web service may require information that’s only obtainable through an intermediary. So A asks B for information that B will request of C. The web service (A), essentially tells B what sorts of conditions ought to be placed on C. B gets the information from C and reports back to A that the conditions were met.
That’s not really different from what Reagan apparently meant by it. Trust is a behavior—I accept what you say, or what you do, but I’m monitoring the situation.
The people who object to the phrase don’t see trust that way. Acceptance is one thing, trust is another. On the mailing list where this came up, one person said, “Which part of that situation is ‘trust’? I see accept and verify.” On this view, trust seems to be blind, an acceptance without verification.
When it comes to the meaning of ordinary words, you can, to paraphrase Yogi Berra, hear a lot just by listening.
When we talk about trust, we seem to implicitly rely on a sort of continuum of trust, with blind trust at one end of it. There are degrees of trust. “I trusted him, but not completely.” When someone says, “I wanted to trust him, but couldn’t” they’re way down at the other end of the continuum.
In rock climbing, we have some trust issues (as you might imagine). Suppose you’re at the cliff and someone has one of your favorite routes set up with a toprope. That is, they’ve made an anchor at the top, run their rope through the anchor, and are belaying one another from the ground.
You’d like to climb it, and the party that’s there is okay with your using their rope. This is phenomenally convenient, the alternative—that they break down their set-up, you set up the route yourself, climb, break your set-up down, they set up again —would be absurd.
Yet, your life will be on the line, relying on their anchoring skills. Some people will just climb. After all, these people are willing to risk their own lives on their anchoring skills (assuming they’ve been toproping the route for a while before you came along). Others aren’t quite that sanguine. Some will want to see for themselves. They’ll go up and check on the anchor set-up. “I don’t trust it unless I see it,” they might say. There’s a middle ground, though—ask some questions.
“What’s the anchor up there?” you ask. They tell you what gear they used. “So you have three pieces, but they’re all passive pieces?” you ask? “You didn’t use the tree? And what about the horizontal crack about three feet up? It can take a gold cam.” And so on. This works a little like progressive computer based testing. If you mess up a question early on, you’ll have to answer a bunch more. You’re going to trust, but, like the web service, you’re basically verifying the person’s integrity, or competence, or trustworthiness.
That is, essentially, what Reagan said. “If and when they don’t, at first pull your punches. If they persist, pull the plug. It’s still trust but verify.”