1994-09-10 - reputation credit 2/3

Header Data

From: Adam Shostack <adam@bwh.harvard.edu>
To: cypherpunks@toad.com (Cypherpunks Mailing List)
Message Hash: f891c37468fa57e094a322280a6d9d35456834fc5edabd026380de99ce6085d8
Message ID: <199409101954.PAA01625@bwh.harvard.edu>
Reply To: N/A
UTC Datetime: 1994-09-10 19:54:18 UTC
Raw Date: Sat, 10 Sep 94 12:54:18 PDT

Raw message

From: Adam Shostack <adam@bwh.harvard.edu>
Date: Sat, 10 Sep 94 12:54:18 PDT
To: cypherpunks@toad.com (Cypherpunks Mailing List)
Subject: reputation credit 2/3
Message-ID: <199409101954.PAA01625@bwh.harvard.edu>
MIME-Version: 1.0
Content-Type: text/plain



	Design criterion for a reputation service:

	* Reliable
	* trustworthy
	* resistant to dropping unflattering credentials
	* decentralized
	* easy to use
	* easier to automate

	* needs to support distributions of pseudonyms reputations
		without providing information about the nym.

	Designing a solid credential server is not an easy task.  There
are many requirements that one should meet.  The basic server I am
considering is designed for Internet as it is today.  Mostly
academics, researchers and students, operating on a highly insecure
internet for mostly personal reasons.  There are few large
transactions occurring on the net; there is not a lot at stake in the
grand scheme of things.  OTOH, there is an awful lot at stake;
specifications, especially bad ones, tend to live forever.  Remember
the RISKS piece on trains and horses?  Thus the server I present could
work well today in conjunction with MPAs, (Mail Processing Agents,
such as procmail and filter) with newsreaders, and other similar
software in order to handle bright filtering (the next generation of
kill & hot files should be based on a distributed idea of whose work
is worth reading, and whose is not.

	After that, the system should expand to cover reputations in
various realms, reputations for various characteristics, and other
things which I'll talk about in the next message.

	There are three basic models for sophisticated reputation
distribution.  The simplest method, of each person handling their own,
has too many failure modes to be useful.  The sophisticated models are
essentially mail, Usenet and server based.  I assume all
transactions are signed, and encrypted at the users request to
provide some amount of security against forgeries and traffic
analysis.

	In a server based system, some set of databases exists to
collect reputation certificates.  A user (better yet, their agent)
asks for a reputation certificate for some entity.  The server sends
it back.  This could be built on the send everything you know model,
or the request could be for certificates of people who the requester
respects.  Such filtering might be better done on local CPU.  The
system has the advantage of carrying all information in an easily
queried format.  It also has the advantage of concentrating
certifications.  Thus you could say things like 'The well regarded
spaf' or 'The often ignored Marjorie Simpson,' because the server
would collect such data.

	The next system would be based on Usenet.  People would
occasionally post their opinions to a newsgroup, and people who
respected those people, directly or transitively, would pull in their
postings.  This system has the advantage of using existing
technologies, and propagating widely, probably even past most
firewalls.

	A third system would be based on mail.  People would subscribe
to lists, or send mail to folks they respect saying 'please put me on
your reputations list.'  The folks thus honored would then respond by
sending out regular lists of who they respect or disrespect.  This
really requires everyone to run some sort of filtering agent.  It has
the advantage of allowing people to set up closed lists for
propagation, and only distributing information on a demand basis.

	Note that this mail system is not the only one that could use
mail for propagation, it simply uses mail as an automatic and regular
carrier of information, while a server system would only do so on
request.

	Both the mail and news systems may fail to provide timely
information about new individuals who may have a reputation, but
because you never asked for it in mail anywhere, or because articles
have expired on your newserver, you can not find it.  This is the
reason the server system would be useful.  Not so much in a filtering
context, but instead in a system where reputations are relied on for
various semi-real time services.  The expandability of the system
relies on part on its ability to find arbitrary reputation information
quickly and automatically.  That is something that a server system
does well, but a mail or news system does not.


	To build a mail system, you would need some sort of decent filter (such as 
MH filter, procmail, or mailagent) which can run programs based on a set of 
conditions. You would need a rule which would watch for incoming reputation 
cred. certificates (which would be signed, maybe encrypted). This would 
pipe into your assesment program, which would keep track of how you relate 
to each of the various people who send you reputations cred. certificates. 
It would turn all the information into a database. On any high volume 
forum, you could filter incoming mail into a set of filters which react 
based on the numeric scores given to a person by your assesment program. 
Anyone whose carries enough reputation credits to pass your filter goes 
into one box, everyone else goes into another. (Clearly, you can be more 
selective, set up several boxes, or whatever else you want.) 

	The tough part of making this system work is in the generation of 
reputations credits. Hal mentioned that the Extropians built a system based 
on buying and selling of reputations on a market. I don't see these 
reputation credits as being something tangible. You can't carry your 
reputation credit with you; they exist as a result of your participation in 
a web of respect. I don't care that Homer Simpson is a well respected 
authority in rec.drink.brewing; his worlds and mine rarely cross. He can't 
pick up his reputation credit and plop down in cypherpunks, expecting to be 
well respected; none of us know him. Or maybe someone does, in which case, 
they can (automatically) tell us what they think. 

	Becuase reputation credit is not fungible, and because it propogates 
itself, buying and selling it may be confusing. If someone well respected 
gets an additional unit of reputation, then all the people who he/she 
respects will also gain slightly. I expect that a system based on giving 
away reputation credits would work well. If you respect too many people too 
mcuh, your value as a link in peoples chain will decrease, and people will 
start disrepecting you, becuase you disturb their filter. Eventually, if 
you keep it up, the value of your reputation credit will drop close to 
zero, as no one cares about what you have to say anymore. This may fail if 
someone with interesthing things to say decides to disrupt the system. I'm 
not sure why someone with interesting things to say would think it was 
worthwhile to disrupt the system, but I don't like designing things on 
expect and oughts. Perhaps a system could be implemented that would allow 
you to give reputation credit in 'transferable' and 'non-transferable' 
forms, so you could respect what someone had to say, but pay no attention 
to their opinions of people. 

	I hope, but don't know if I can expect, that a system like this would get 
its initial momentum from people who want to be able to use it for their 
own smart filtering. If the system were well designed (easy to change how 
much reputation credit you give someone), then making a change in your 
filtering would be as simple as saying "slander tcmay@netcom.com +50" 
(slander is the working name I've been using to describe the program to 
enter reputations, good or bad. It came from thinking of this as a Usenet 
based system.) If the system could build up some initial momentum from 
people using it for personal filtering, then it would probably accelerate 
from there. As more people use the system, it becomes more useful to use 
it, accelerating its growth. Its growth hopefully, is not constrained by 
the underdesign of servers, since each person serves themselves. 

	As the software becomes more useful, it is easy to build and design 
alterate systems of spreading reputations because the system is 
decentralized.  If I decide I want to build a system where each person 
whose first name begins with a vowel gets an extra 5% added to their 
reputation, and then add 10% to my perception of the reputation credits 
of any one who three people I give more than 75% reputation credit to, 
then I can implement that in my local assesment program without 
disturbing everyone who relies on my server.  (Admittedly, the people who 
currently pay attention to who I gvie rep cred to may no longer do so, 
after strange credits start coming out, but thats a seperate problem.)





Thread