The need for automated reputation
Identity is a troublesome concept on the Internet, where everybody is by default anonymous. In general, it's impossible (without user interaction) to say that two users on different sites are actually the same person. This leads to interesting consequences occasionally, such as the recently revealed social network attacks. It also means that when a new user is registering on a website, it's very difficult to verify that they're a real person, and not some kind of spambot.
The problem I'm trying to solve here is the problem of trust on the Internet - can this random user be trusted? Identity is only half the problem. Obviously, trust is useless without identity; it's impossible to trust someone if you can't even verify who they are. I contend that the converse is also true; that is, identity is useless if you can't establish somehow that you trust that identity. With careful application of public-key cryptography, identity can be considered a solved problem, but trust is far from it.
What we need here is some kind of distributed decentralized reputation system. At a high level, every user in the system needs to be able to see some measure (but not necessarily the same measure) of any other user's trustworthiness. Every user also needs to be able to influence any other user's trustworthiness. The system must also have some way to limit the amount of damage a set of malicious users can do.
Advogato's trust metric provides these properties, and follows my thinking about how to design such a system pretty closely. The only real issue I have with it, after a cursory reading, is that it's centralized, which severely limits its usefulness. On the other hand, finding paths in a potentially very large nonresident graph is kind of difficult. Nevertheless, I feel like it should be possible. In a future post, I'll outline my idea for such a system.
The problem I'm trying to solve here is the problem of trust on the Internet - can this random user be trusted? Identity is only half the problem. Obviously, trust is useless without identity; it's impossible to trust someone if you can't even verify who they are. I contend that the converse is also true; that is, identity is useless if you can't establish somehow that you trust that identity. With careful application of public-key cryptography, identity can be considered a solved problem, but trust is far from it.
What we need here is some kind of distributed decentralized reputation system. At a high level, every user in the system needs to be able to see some measure (but not necessarily the same measure) of any other user's trustworthiness. Every user also needs to be able to influence any other user's trustworthiness. The system must also have some way to limit the amount of damage a set of malicious users can do.
Advogato's trust metric provides these properties, and follows my thinking about how to design such a system pretty closely. The only real issue I have with it, after a cursory reading, is that it's centralized, which severely limits its usefulness. On the other hand, finding paths in a potentially very large nonresident graph is kind of difficult. Nevertheless, I feel like it should be possible. In a future post, I'll outline my idea for such a system.
2 comments:
Interesting. As I consider myself to have a fairly prevalent online identity, and as a lot of the interactions I handle online depend on mutual trust (lalalala commission monies), this is an interesting proposal. Within my communities, I've really seen very few cases of either identity or trust being abused. I always hear about these problems in those other places. It makes me feel that on the map of the Internet, I'm in some nice neighborhood and the rest is the ghetto.
Or something.
In any case, I look forward to seeing more about this. And I'd like to mention that you get PROPPPPPS for knowing that the word Internet is capitalized. x3
I suppose that there's a need for such a thing, but I don't think it's likely that I'm going to understand the solution. A cursory reading of part of your link confused me. Besides that, the networking attacks were mostly due to carelessness on the parts of the users. Things like that wouldn't spread at all if people were more careful.
Also, I'm hoping that this trust metric of yours will somehow still allow me to have multiple aliases. I don't use the same one across all sites, after all.
Post a Comment