1994-09-07 - Re: Reputation Capital papers?

Header Data

From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: 4f967363603060056eaa057549a75a5494f94891a4a7348db4de4b0e54180d13
Message ID: <199409070445.VAA20261@jobe.shell.portal.com>
Reply To: <199409070258.WAA09806@zork.tiac.net>
UTC Datetime: 1994-09-07 04:46:15 UTC
Raw Date: Tue, 6 Sep 94 21:46:15 PDT

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Tue, 6 Sep 94 21:46:15 PDT
To: cypherpunks@toad.com
Subject: Re: Reputation Capital papers?
In-Reply-To: <199409070258.WAA09806@zork.tiac.net>
Message-ID: <199409070445.VAA20261@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


Thanks to Bob Hettinga for providing a reference to that paper which
discusses several issues related to what we might call "reputation
capital".  I was able to fix my Postscript problems and get the whole
paper printed.

Two of the three authors are the originators of the NetCash proposal.  I
gave that paper a pretty negative review here a few months ago, mostly
because their "cash" was non-anonymous, and was really a digital
certified check.  That's fine, although not IMO cryptographically
interesting and I really didn't see much about their proposal that wasn't
obvious.

I find this paper more interesting.  They discuss the general issues of
servers establishing credibility with clients through various strategies:
licenses, where a legal agency provides a credential that the server
meets various minimum standards; endorsements, which are similar but
which tend to come from private agencies and will often have a range of
levels (like the 1 to 5 diamond ratings granted to hotels by the AAA);
insurance, where an insurance company guarantees that suits are possible
in the case of breach of contract; and surety bonding, which is similar
but covers a wider range of unsatisfactory completions to the 
relationship.  Most of these make sense in the context of business
interactions as well as traditional client/server computing.

After a promising introduction, the paper takes a mundane turn, proposing
data structures to encode information about these various kinds of
"assurance credentials", with slots for what is covered, to what amount,
under what conditions it would apply, etc.  I think it is way premature
to try to specify what kinds of information would be in these
credentials.

They do get into some more interesting material when they discuss ways in
which these credentials might be shown and authenticated.  Generally, the
assurance credential is created or issued by some 3rd party: a bank, an
insurance company, a government, a rating agency like AAA or Consumers
Union.  (We would probably add, individuals known to the client.  The
authors have something of an institutional bias, and discuss institutions
providing credentials to benefit other institutions, neglecting the
problem of how individuals establish their own credibility.  This is
especially noticable in their section 7.3 where they point out that
institutions which hold large sums of money for their clients will have
much greater authentication requirements than those which grant credit.
The obvious symmetry of the two situations appears to escape the authors'
notice.)  Once the credential is given to the server, it can then show it
to the client.

They do appear to allow for something similar to blinded credentials.
The term they use for these credentials is "proxies" because in a sense
the credential acts as a proxy, a substitute, for the organization which
issued the credential.  (The real reason for this strained terminology is
to tie this paper in with the senior author's other papers, IMO.)  They
suggest that there would be two classes of proxies: "bearer" proxies,
which appear not to have the server's identity explicitly encoded, but
which are granted under terms in which only servers knowing a particular
secret key are considered to be valid; and "delegate" proxies, which
appear to explicitly encode the server's identity.  The author's
terminology is a bit hard to follow here, so it is possible that I am
missing their point, but it does sound like they have the germ of the
idea of being able to show a credential in a way where the credential is
not explicitly identity-bound.

Of course, they have missed the point of blinding of credentials (they
give no sign of ever having heard of the concept), and the bearer
proxies would actually be linkable by the proxy issuer.  It is not
really clear what the value is of the very limited form of anonymity
allowed by bearer proxies.

After this rocky portion (the authors really need to read the literature!
this is the same problem that NetCash had) they move into quite a
dramatic and impressive vision of a "web of trust" system of credentials
backing up credentials.  The point is that the issuing agencies
themselves may need backup (what is the value of an endorsement by the
Direct Mail Marketing Association if you've never heard of them?)  This
leads to the concept of "transitive assurance" in which A endorses B and
B endorses C, allowing you to follow the chain and give some credibility
to C.  Here is one good point they make:

"Transitive assurance may extend to an arbitrary depth, but longer chains
generally promote less confidence.  Where assurance is rated, heuristics
are needed for deriving the combined assurance rating from the metrics
and limits associated with the individual credentials involved.  Such
heuristics are a topic for further study."

Alert readers will see a connection to the PGP web of trust, and the
authors actually make this connection.  They go on to point out that in
PGP certifications pertain to identity only.  There is no mechanism in
PGP to endorse the signing and endorsement policies of other users.  This
was the point I made some time back in a posting here in which I pointed
out that the "web of trust" is a misnomer because you can only trust keys
which you have verified directly or where you know and trust someone who
knows the end user.  In contrast, a system of transitive assurance is a
true web of trust, where Consumer's Union endorses the Microwave
Manufacturers' Association which endorses Joe's Microwave Repair,
allowing me to trust Joe even though I've never heard of the MMA.

The authors have a nice diagram showing a web of credentials with clients,
and various kinds of authenticating and endorsing agencies, all in a
complicated system of connections.  I think this is very close to the
ideas people have had here for how a system of reputation credentials
could work.

They also discuss how assurance credentials could be used to give credibility
to an issuer of electronic cash.  Banks or other financial agencies could
provide credentials that the issuer had assets greater than a certain
amount (so you know the currency is backed), and auditors could provide
credentials that the books balance.  Once again they have neglected the
interesting topic of how or whether blinded credentials could work but
this is not a bad start.

In a way it is kind of sad to see how primitive the understanding is of
these issues in the "mainstream".  OTOH it is good to see any discussion
at all.  Hopefully papers like this will attract some interest on the
part of the many people who are trying to jump onto the internet-business
bandwagon.

Hal





Thread