I came across Alex Bunardzic's blog on Online Identity and reading it gave me a new perspective on online reputation, and that is state. Here's a brief brain dump (if there is interest and/or further mulling over this, I will expand on this post)
Trust, reputation identity = someone's collection of attributes
... the Need to remember an object or person's history and attributes that may change over time = state management
... engineering a reputation or identity system becomes a problem of state management
... for embedded systems and connection oriented protocols, state management is already something we do here, e.g. routing algorithms in P2P nets
... the Web is inherently stateless, so maintaining state requires more work
... for engineering an efficient reputation system, the challenge is in state maintenance and optimising state retrieval.
Thoughts?
28 March 2008
Reputation and Maintaining State
27 March 2008
Workshop on Trust in Mobile Environments
I'll be reviewing research papers on trust and reputation mechanisms for mobile systems. This is for the Workshop on Trust in Mobile Environments. Looking forward to this as it's one of those areas that is full of creative output at the moment.
24 March 2008
Reputation-based systems: a security analysis
This was a paper I co-wrote with a bunch of other contributors working in the trust/reputation and security space: "Reputation-based systems: a security analysis" (PDF). It is a position paper on security issues in reputation systems.
A nice thing that we did in this paper was that we identified concrete use cases for reputation systems to frame our discussions, rather than talking in general but unusable terms that papers of this sort can tend to become. The use cases covered are online markets, P2P networks, spam filters and PKI (my primary area of contribution). The principal threats were then derived from looking at threats to the reputation systems used in these use cases.
Here's the abstract:
ENISA Position Papers represent expert opinion on topics ENISA considers to be important emerging risks or key security components. they are produced as the result of discussion among a group of experts who were selected for their knowledge in the area. the content was collected via wiki, mailing list and telephone conferences and edited by enisa.
This paper aims to provide a useful introduction to security issues affecting Reputation-based Systems by identifying a number of possible threats and attacks, highlighting the security requirements that should be fulfilled by these systems and providing recommendations for action and best practices to reduce the security risks to users.
Examples are given from a number of providers throughout the paper. These should be taken as examples only and there is no intention to single out a specific provider for criticism or praise. The examples provided are not necessarily those most representative or important, nor is the aim of this paper to conduct any kind of market survey, as there might be other providers which are not mentioned here and nonetheless are equally or more representative of the market.
This paper is aimed at providers, designers, research and standardisation communities, government policy-makers and businesses.
12 June 2007
Identity, Reputation and Trust
Although I have researched, wrote and talked to people extensively (but not enough!) about trust and reputation, I have always assumed that within whatever model that is being discussed, there is some kind of effective, secure and convenient method of identifying an entity in the network. It is only recently that I started to look beneath the surface of the topic of identity and it has made me realise that we are still far from where we want to be with this.
Like reputation, identity, or the problem of identifying someone, is an area that we are still trying to graps and there is a lot of debate around it. The timeline looks something like this:
The network community tried to use existing authentication protocols like X.509 for the Internet. This didn't really work for an open network. Then PGP came along, and this made PKI less of a black-art and accessible to whomever that needed it. This worked to a certain extent, but is sill too geeky and non transparent enough for most people. Meanwhile, the web world embraced and marketed SSL to allay the general security paranoia that was created, but the general user never really understood what this is all about. In any case, from the user's perspective, whether the current transaction is secure or not boils down to whether the 'padlock' icon on the browser is 'open' or 'closed' - nobody really bothers to look at the certificate (well, I don't). There were other early attempts to break free from the X.509 shackles, with the likes of SPKI/SDSI and PolicyMaker/Keynote, but the focus was still really around key management, but this time with a deeper understanding of trust management.
But there is a new paradigm in identity management, summarised by this passage by Carl Ellison:
Along the way, we have learned that what is important in certificate (and related) security systems is not the computer-readable data structures and protocols alone. Rather, these certificates, licenses, grants, ACL entries, ..., are a cyberspace reflection of relationships in the physical world - and the security of these systems rests most heavily on the security of the process by which the physical world relationships are bound to their cyberspace reflections. That security far outweighs the more trivial security of private key protection, key length, choice of algorithm, etc., that people have obsessed about for decades.
This brings us to a new wave of electronic ID proposals, such as Sxip (and Identity 2.0), OpenID, and YURL. I'm sure there are lots more out there, but I'm just beginning to scratch the surface myself... I would appreciate any pointers to other new identity management tools out there.
All this is significant with respect to reputation and trust because without identity, it is impossible to reason about them. Furthermore, there is a very intimate relationship between identity and reputation because they are actually two sides of the same coin - you can't talk about one without the other.
I guess the point I'm trying to make is that we can't isolate the topics of identity, reputation and trust from any fora dedicated to these subjects.
8 June 2007
OSCON 2005 Keynote - Identity 2.0
This is old but the topic is probably is as current as ever. It is a video of Dick Hardt's (founder of Sxip) presentation at OSCON 2005. There are two things that are great about this presentation: 1) The idea of Identity 2.0, and 2) Dick's presentation style, which is extremely effective.
Go see it.
3 June 2007
Thesis: A framework for decentralised trust reasoning
A copy of my thesis titled "A framework for decentralised trust reasoning" is now available at scribd.com:
European e-ID conference
I'll be attending the European e-Identity Conference on 11 June, and also giving a short talk on the kinds of questions to ask when assessing threats to a reputation system. I've talked and written about identities before but this is the first time I'm attending a forum on one, so should be interesting.
If you're going to be there, give us a shout for a chat.
[Update]
Unfortunately, due to unforeseen circumstances, I am not able to attend this event, but I'll be more than happy to forward you the material I have prepared for this talk - drop me a mail.
