TITLE: Living with the Consequences of Intransitive Trust SPEAKER: Bruce Christianson (Department of Computer Science, Hertfordshire University) ABSTRACT: Many accounts of online trust are based upon mechanisms for building reputation. Trust is portrayed as desirable, and handing off trust is easier if trust is modelled to be transitive. But in the analysis of cyber-security protocols, trust is usually used as a substitute for certain knowledge: it follows that if there is no residual risk, then there is no need for trust. On this grimmer understanding, the less that users are required to trust, the better. Involuntary transitivity of trust becomes corrosive, because it prevents participants from having controlor even knowledgeof the risks to which their trust assumptions expose them. We argue that controlling the transitivity of trust requires us to recognise trust as a non-referentially transparent intensional modality, similar to but significantly weaker than the epistemic modalities, and to accept the corollary that reasoning about the extensional state of the system is not sufficient. Imaginary, and even impossible, threats can have real consequences that adversely affect online security. Agents require the capability to predicate accurately about states of affairs that are logically inconsistent with their beliefs, and consequently, designing secure systems is more akin to diplomacy than engineering.