From: Adam Shostack <adam@bwh.harvard.edu>
Date: Sat, 10 Sep 94 12:53:47 PDT
To: cypherpunks@toad.com (Cypherpunks Mailing List)
Subject: Reputation credits 1/3
Message-ID: <199409101953.PAA01613@bwh.harvard.edu>
MIME-Version: 1.0
Content-Type: text/plain


After Rishab's posts on the uses of digital reputation credentials,
I'd like to present some thoughts on how to implement them.


Thoughts on creating a Reputation Capital Framework

 This document is split into three parts: A creating a useful, basic system 
of service, methods of distribution and implementation of reputation 
information, and possibilities for extending the system which may make 
the whole thing unworkably complex, but also may make it much more useful. 

	I am going to begin by not rigorously defining reputation
capital.  The initial application, IMHO anyway, is magic filtering.
The cypherpunks list gets up to 500 messages per week.  Right now, I
filter based on whose messages I like to read.  This is a weak system
that requires manual updating.  It does not automatically respond when
someone who I respect says "I've enjoyed XX's posts."  I think that
the framework I outline here can do magic filtering well.  It also has
the ability to evolve into a full fledged system for complex digital
reputations in various realms.

	The simplest system would be where people collect statements
of the form "I respect Alice. /s/ Bob." *  Alice would collect
statements like this, and append them to the bottom of her writings so
that people who respected Bob would have a clue that they might be
interested in what Alice has to say.  A 'web of respect' could easily
be formed, with each step away causing some reduction in value.  The
number would have to be large enough that reputations could
spread--ie, that people could get some use out of this beyond an
elaborate name for a kill/hotfile.  It would also need to be small
enough that reputations lines do not extend forever.  Eventually, you
don't care what Kim thinks of Loius.  I would guess that some
multiplier between .9 and .05 would work well.  People you respect
directly get the highest rating, people further away lose some
amount of that respect until it trickles down to nothing.

	* the statement "I respect Alice. /s/ Bob." is analogous to "I
find Alice's work interesting, informative, or otherwise worth
reading.  If someone would like to suggest a name other than
reputation credentials for this, I'd be happy to hear it.

	Note that in this simple system, statements do not have any numerical 
value attached. Bob can not respect Alice 30% or 99% of the time, he only 
gets a binary statement. Its an obvious extension to let Bob say "I respect 
Alice 80% of the time. /s/ Bob." I only point this out because it is not 
mandatory that a system be constructed this way, and in fact, even a very 
simple system could be quite useful. With the addition of partial respect, 
the need for an automatic reduction in value becomes much less clear. If 
Alice respects Bob 50% of the time, and Bob respects Charlie 50% of the 
time, then Alice will probably find that a 25% respect rating for Charlie 
is good enough.  (I'm not going to get into possible variations here; 
things seem to work well using percentages for reputation credentials 
and negative percentages for disrespect.  The numbers are multiplied 
together, shrinking away to nothing pretty quickly, except in the case of 
a group of people with a good deal of mutual respect for each other.)  
Also, if several reputation credentials come in for one entity, they can 
simply be averaged together.

 This respect rating is relative; there is no central organization to say 
that Charlie's Used Cars sells great vehicles 25% of the time, its just 
what Alice's agents will be able to gauge how interesting Alice might 
consider someones work to be. Someone she occasionally respects sometimes 
thinks well of Charlie, so its more likely that she will be interested in 
what Charlie has to say, at least in comparison to someone Alice has 
never heard of at all. In this system, it makes sense for Charlie to spend 
a lot of time making his customers happy at first, and holding on to their 
endorsements of him, because there is no time limit on the statements, and 
no way to retract opinions. 

	So, those are two natural enough extensions.  Decaying reputations, 
based on the age of the signature, cause a reputation cred. to eventually 
become useless.  Then there is the matter of retracting, or post-facto 
changing your statement of a reputation.  This is more problematic.  
Remember right now, Alice, Bob and Charlie are simply collecting these 
reputation credentials, and storing them themselves.  If Bob sends Alice a  
statement "I no longer respect Alice at all. /s/ Bob, 1 Sept 1994," Alice 
can simply forget to include it in her list of reputation credentials.  
If she commits to it through some crytpographically strong protocol based 
on her actions, she can probably dump it, and do business for some period 
of time before someone runs through all the work to confirm her 
reputation is as she presents it, and discovers she is lying based on 
outdated credentials.  A solid system needs to ensure that up to date, 
complete credentials are available for most people most of the time.


	In my next message, I'll show several possible designs for systems that 
could exist in parallel to distribute reputation information, and explain 
why each would be useful.  I'll also sketch out a set of programs to 
demontstrate how the system could be used.