Local and Context Dependent Trust Protocol Ideas

From TrustLet, a free, collaborative project for collecting and analyzing information about trust metrics.

This proposal was originally started by Callum Macdonald.

I've been thrashing an idea round in my head for a while about how to create an open, standard protocol for establishing trust. Something that could gain as widespread acceptance as SMTP (not a transport protocol though). I believe the only way it'll happen is if it's a completely open protocol.

Contents 1 Core Technologies 2 Open Social Web 3 Linking 4 Email 4.1 Possibility

[edit] Core Technologies

I believe all the core technology exists already. Some examples include:

• GPG Encryption / Signing
• Hashing (SHA1, md5, etc)
• MicroID
• XFN

[edit] Open Social Web

I think an open social networking framework would be a key building block to build a trust system on top of. Currently, people have many and disparate identities online. I have my own domain name and web site, accounts on countless forums and wikis, several openID identities, and so on. Until I can uniformly tie these together and "claim ownership" of them all, any trust system will be incomplete.

[edit] Linking

Google's PageRank system is a very simple example of a trust network. Google assume that if I link to your web site, that shows some level of trust. Further, by using the rel tag, I can say rel="nofollow" if I trust your site less.

A more sophisticated trust network could be this simple. It might be as simple as to say "I (Callum Macdonald) trust this url 95%". If I was able to cryptographically sign this statement, those who trust me could trust the statement.

Do you know about XFN? It does somehow what you want to accomplish. And there is no need to sign anything because whatever is on my domain is certified (assumption: I'm the only one able to create rel on my domain) and whatever is out of my domain is not certified. --PaoloMassa 09:14, 19 September 2007 (PDT)

With rel="me" you can point to all your identities. Here the rational at http://gmpg.org/xfn/and/ This is a simple service built on top of this simple idea: http://www.plaxo.com/info/opensocialgraph and check how it works on my homepage. Of course feel free to move these things in the discussion page or to transform them into sentences ;-) --PaoloMassa 09:19, 19 September 2007 (PDT)

Agreed, XFN is a great start in terms of defining relationships. It might well be a good basis upon which to build a trust protocol. --Callum 20:41, 20 Sep 2007 (GMT+1)

[edit] Email

Unsolicited (or spam) email is one of the biggest problems of online communication. It's no longer sensible to publish your email address in machine readable format, because you will undoubtedly receive tremendous amounts of spam. A standardised trust system would help to solve this problem.

There are currently several techniques to detect spam:

• Filtering based on the content of the email
• Sender / recipient white / black listing
• Sender Policy Framework (SPF)

White / black listing and SPF are crude trust systems.

White / black listing relies on you trusting somebody else to produce a list of good / bad emails. This list can be created / maintained by a community, so in essence it is a global trust metric with all the limits therein.

SPF is a mechanism whereby I can publish a DNS record that says "I will only ever send mail from these servers...". This means if a server receives mail claiming to be from me but from another server, it can be assumed it is not to be trusted. This is a special type of trust metric.

[edit] Possibility

However, if it were possible for me to publish trust statements about email addresses, I could based my filtering of incoming emails based on those trust statements. For example, I could say "I (me at domain.com) trust user at site.com 60%". If this type of system were standard, then when I receive an email, I could look at all the people I trust, look at who they trust, and so on to figure out how much I trust the newly received email.

This would provide for far more sophisticated filtering than current methods.

there are already some proposals (and even software) such as TrustMail: Reputation Network Analysis for Email Filtering from my friend Jennifer Golbeck. But the problem as usual is "how do you get adoption of your idea?" --PaoloMassa 09:25, 19 September 2007 (PDT)

I think the key to widespread acceptance is backwards compatibility. If trust can be bolted on top of existing email systems, using the existing protocol, then I think there's a potential upside, little downside. So the transition from "standard" email to "trust" email can be gradual. Thanks for the link to the paper, I'm going to read it now. --Callum^Talk 00:29, 22 Sep 2007

Maybe something simple as adding an extra header in email addresses could work: e.g. X-microid-url: http://guaka.org. It's easy for the recipient to check that the URL belongs to that email address. From there it can fetch XFN data and make a judgment about trust. guaka^wikitalk 14:56, 22 September 2007 (PDT)

That's an interesting idea. It's simple, yet it's also secure, there's no way to claim you're somebody else unless you have control of their domain. --Callum^Talk