Trust March 24, 2009Posted by tcarlyle in identity management, reputation systems, SIM Cards, trust.
Tags: cardspace, federation, identity management, reputation systems, trust, web-of-trust
“Trust – Trust is the characteristic that one entity is willing to rely upon a second entity to execute a set of actions and/or to make set of assertions about a set of subjects and/or scopes.” [from the WS-Trust spec ]
This means that one entity will claim some information about a subject to another that will rely on it. This is pretty much the same trust concept in the Identity Management models described in Cardspace (now codename Geneva), Higgins, and other centralized approaches (that are actually based on the WS-Trust and WS-Security).
An user register himself (establish a relationship) with an IdP (Idenity Provider). Due to this relationship, the IdP is able to prove and manage user claims. This relationship between the user and the IdP, depending on the claims involved, should be based on SLA and the IdP may have to acquire data from the user (through the registration for example) by a reliable process (by checking the user national ID to be sure that he is an adult and etc).
The mentioned example is what is sometimes described in the literature as policy-based trust. It relies on the security behind the agreements of the Identity authorities which are enforced by certifications, auditions and SLAs. The trust result is a binary trust or not-trust to the claim.
However, trust can also be extended to reputation systems, where entities have their reputation rated by other users, that do not have a relationship build through SLA with them. This is of great usage in scenarios where it is important to generate trust over claims that are somehow subjective or context-dependent (such as: “is this an interesting article?” – that depends for whom, “is the staff of that restaurant friendly?” – that relies on a personal opinion) or when an IdP would not have enough mechanisms or would not be feasible to be responsible for the claims (such as in systems as on-line auctions).
In those cases, every individual taking part on the system and being able to create or support a claim is somehow an IdP. This mechanism, in general rely on a system or entity that offer an identity to the user so he can act as an “IdP” and which offers the IT infrastructure for those users to play that role. This entity or system can have a more neutral role as offering the IT infrastructure and the rules for the claim stating and support, or it may have a more active role such as mediating and filtering claims, giving special weights to some users claim based or requesting and validating information about the user that will act as an “IdP, in order to raise the trust over him.
By having each user as an IdP, they can establish digital relationship between themselves based on long-term relationship such as friendship or less established relations such as both were engaged in a operation that evolved trust (such as an online purchase) and everything was ok. Those long-term or short-term relations could be exmplored to build a trust network, a web-of-trust, somehow similar to a federation (but more loose as it is not based in contracts).
This good article about reputation trust models describes, some researchdone towards the development of trust metrics that can predict the trustworthiness of a person or claim based on the relationship between the person or the claim owner and the trust network of the person who is accessing the claim. It actually points the concepts of Global Trust Metric which takes in consideration the opinion of the whole network in order to trace the trustworthiness of the claim and the Local Trust Network which restricts the trust building on taking into account just the feedback from users on the same trust network as the user who is checking the veracity of the claim.
This other arcticle, comments on the success of using reputation systems build over individual on-line feedbacks to provide reasonable trust in systems that seems really risky such as on-line auctions . Moreover, this kind of reputation based information is being more and more accredit and now represent a big weight in user’s decisions varying from choosing a music album to buy or which company to invest. Due to the fast dynamic of today’s world and the widespread of information, the lack of knowledge in some decisions is being compensated by information gathered through trust relationships.
I see a big trend in the usage of reputation systems for more and more cases. As an example wikipedia as a collaborative environment has a pretty similar trust base as a reputation system, and it is accepted by a great number of people as a very reliable information source (this post in fact shows that the wikipedia is as accurate as the Britannica encyclopedia). Based on that, I am currently reading about trust models in order to built seamless Local Trust Network based on the sim card pervasiveness, the new cool features showing up in the mobiles and the sim idenitities. In case you are looking for similar reading, please feel free to share and to ask me for arcticles I may have collected.