From adam Sat Sep 10 15:53:20 1994 Subject: Reputation credits 1/3 To: cypherpunks@toad.com (Cypherpunks Mailing List) Date: Sat, 10 Sep 94 15:53:20 EDT X-PGP:876BD629 Fingerprint: 70 93 32 D6 36 D4 04 10 40 EC AB 28 A4 1D 0F E2 Status: RO After Rishab's posts on the uses of digital reputation credentials, I'd like to present some thoughts on how to implement them. Thoughts on creating a Reputation Capital Framework This document is split into three parts: A creating a useful, basic system of service, methods of distribution and implementation of reputation information, and possibilities for extending the system which may make the whole thing unworkably complex, but also may make it much more useful. I am going to begin by not rigorously defining reputation capital. The initial application, IMHO anyway, is magic filtering. The cypherpunks list gets up to 500 messages per week. Right now, I filter based on whose messages I like to read. This is a weak system that requires manual updating. It does not automatically respond when someone who I respect says "I've enjoyed XX's posts." I think that the framework I outline here can do magic filtering well. It also has the ability to evolve into a full fledged system for complex digital reputations in various realms. The simplest system would be where people collect statements of the form "I respect Alice. /s/ Bob." * Alice would collect statements like this, and append them to the bottom of her writings so that people who respected Bob would have a clue that they might be interested in what Alice has to say. A 'web of respect' could easily be formed, with each step away causing some reduction in value. The number would have to be large enough that reputations could spread--ie, that people could get some use out of this beyond an elaborate name for a kill/hotfile. It would also need to be small enough that reputations lines do not extend forever. Eventually, you don't care what Kim thinks of Loius. I would guess that some multiplier between .9 and .05 would work well. People you respect directly get the highest rating, people further away lose some amount of that respect until it trickles down to nothing. * the statement "I respect Alice. /s/ Bob." is analogous to "I find Alice's work interesting, informative, or otherwise worth reading. If someone would like to suggest a name other than reputation credentials for this, I'd be happy to hear it. Note that in this simple system, statements do not have any numerical value attached. Bob can not respect Alice 30% or 99% of the time, he only gets a binary statement. Its an obvious extension to let Bob say "I respect Alice 80% of the time. /s/ Bob." I only point this out because it is not mandatory that a system be constructed this way, and in fact, even a very simple system could be quite useful. With the addition of partial respect, the need for an automatic reduction in value becomes much less clear. If Alice respects Bob 50% of the time, and Bob respects Charlie 50% of the time, then Alice will probably find that a 25% respect rating for Charlie is good enough. (I'm not going to get into possible variations here; things seem to work well using percentages for reputation credentials and negative percentages for disrespect. The numbers are multiplied together, shrinking away to nothing pretty quickly, except in the case of a group of people with a good deal of mutual respect for each other.) Also, if several reputation credentials come in for one entity, they can simply be averaged together. This respect rating is relative; there is no central organization to say that Charlie's Used Cars sells great vehicles 25% of the time, its just what Alice's agents will be able to gauge how interesting Alice might consider someones work to be. Someone she occasionally respects sometimes thinks well of Charlie, so its more likely that she will be interested in what Charlie has to say, at least in comparison to someone Alice has never heard of at all. In this system, it makes sense for Charlie to spend a lot of time making his customers happy at first, and holding on to their endorsements of him, because there is no time limit on the statements, and no way to retract opinions. So, those are two natural enough extensions. Decaying reputations, based on the age of the signature, cause a reputation cred. to eventually become useless. Then there is the matter of retracting, or post-facto changing your statement of a reputation. This is more problematic. Remember right now, Alice, Bob and Charlie are simply collecting these reputation credentials, and storing them themselves. If Bob sends Alice a statement "I no longer respect Alice at all. /s/ Bob, 1 Sept 1994," Alice can simply forget to include it in her list of reputation credentials. If she commits to it through some crytpographically strong protocol based on her actions, she can probably dump it, and do business for some period of time before someone runs through all the work to confirm her reputation is as she presents it, and discovers she is lying based on outdated credentials. A solid system needs to ensure that up to date, complete credentials are available for most people most of the time. In my next message, I'll show several possible designs for systems that could exist in parallel to distribute reputation information, and explain why each would be useful. I'll also sketch out a set of programs to demontstrate how the system could be used. (Message 2) Design criterion for a reputation service: * Reliable * trustworthy * resistant to dropping unflattering credentials * decentralized * easy to use * easier to automate * needs to support distributions of pseudonyms reputations without providing information about the nym. Designing a solid credential server is not an easy task. There are many requirements that one should meet. The basic server I am considering is designed for Internet as it is today. Mostly academics, researchers and students, operating on a highly insecure internet for mostly personal reasons. There are few large transactions occurring on the net; there is not a lot at stake in the grand scheme of things. OTOH, there is an awful lot at stake; specifications, especially bad ones, tend to live forever. Remember the RISKS piece on trains and horses? Thus the server I present could work well today in conjunction with MPAs, (Mail Processing Agents, such as procmail and filter) with newsreaders, and other similar software in order to handle bright filtering (the next generation of kill & hot files should be based on a distributed idea of whose work is worth reading, and whose is not. After that, the system should expand to cover reputations in various realms, reputations for various characteristics, and other things which I'll talk about in the next message. There are three basic models for sophisticated reputation distribution. The simplest method, of each person handling their own, has too many failure modes to be useful. The sophisticated models are essentially mail, Usenet and server based. I assume all transactions are signed, and encrypted at the users request to provide some amount of security against forgeries and traffic analysis. In a server based system, some set of databases exists to collect reputation certificates. A user (better yet, their agent) asks for a reputation certificate for some entity. The server sends it back. This could be built on the send everything you know model, or the request could be for certificates of people who the requester respects. Such filtering might be better done on local CPU. The system has the advantage of carrying all information in an easily queried format. It also has the advantage of concentrating certifications. Thus you could say things like 'The well regarded spaf' or 'The often ignored Marjorie Simpson,' because the server would collect such data. The next system would be based on Usenet. People would occasionally post their opinions to a newsgroup, and people who respected those people, directly or transitively, would pull in their postings. This system has the advantage of using existing technologies, and propagating widely, probably even past most firewalls. A third system would be based on mail. People would subscribe to lists, or send mail to folks they respect saying 'please put me on your reputations list.' The folks thus honored would then respond by sending out regular lists of who they respect or disrespect. This really requires everyone to run some sort of filtering agent. It has the advantage of allowing people to set up closed lists for propagation, and only distributing information on a demand basis. Note that this mail system is not the only one that could use mail for propagation, it simply uses mail as an automatic and regular carrier of information, while a server system would only do so on request. Both the mail and news systems may fail to provide timely information about new individuals who may have a reputation, but because you never asked for it in mail anywhere, or because articles have expired on your newserver, you can not find it. This is the reason the server system would be useful. Not so much in a filtering context, but instead in a system where reputations are relied on for various semi-real time services. The expandability of the system relies on part on its ability to find arbitrary reputation information quickly and automatically. That is something that a server system does well, but a mail or news system does not. To build a mail system, you would need some sort of decent filter (such as MH filter, procmail, or mailagent) which can run programs based on a set of conditions. You would need a rule which would watch for incoming reputation cred. certificates (which would be signed, maybe encrypted). This would pipe into your assesment program, which would keep track of how you relate to each of the various people who send you reputations cred. certificates. It would turn all the information into a database. On any high volume forum, you could filter incoming mail into a set of filters which react based on the numeric scores given to a person by your assesment program. Anyone whose carries enough reputation credits to pass your filter goes into one box, everyone else goes into another. (Clearly, you can be more selective, set up several boxes, or whatever else you want.) The tough part of making this system work is in the generation of reputations credits. Hal mentioned that the Extropians built a system based on buying and selling of reputations on a market. I don't see these reputation credits as being something tangible. You can't carry your reputation credit with you; they exist as a result of your participation in a web of respect. I don't care that Homer Simpson is a well respected authority in rec.drink.brewing; his worlds and mine rarely cross. He can't pick up his reputation credit and plop down in cypherpunks, expecting to be well respected; none of us know him. Or maybe someone does, in which case, they can (automatically) tell us what they think. Becuase reputation credit is not fungible, and because it propogates itself, buying and selling it may be confusing. If someone well respected gets an additional unit of reputation, then all the people who he/she respects will also gain slightly. I expect that a system based on giving away reputation credits would work well. If you respect too many people too mcuh, your value as a link in peoples chain will decrease, and people will start disrepecting you, becuase you disturb their filter. Eventually, if you keep it up, the value of your reputation credit will drop close to zero, as no one cares about what you have to say anymore. This may fail if someone with interesthing things to say decides to disrupt the system. I'm not sure why someone with interesting things to say would think it was worthwhile to disrupt the system, but I don't like designing things on expect and oughts. Perhaps a system could be implemented that would allow you to give reputation credit in 'transferable' and 'non-transferable' forms, so you could respect what someone had to say, but pay no attention to their opinions of people. I hope, but don't know if I can expect, that a system like this would get its initial momentum from people who want to be able to use it for their own smart filtering. If the system were well designed (easy to change how much reputation credit you give someone), then making a change in your filtering would be as simple as saying "slander tcmay@netcom.com +50" (slander is the working name I've been using to describe the program to enter reputations, good or bad. It came from thinking of this as a Usenet based system.) If the system could build up some initial momentum from people using it for personal filtering, then it would probably accelerate from there. As more people use the system, it becomes more useful to use it, accelerating its growth. Its growth hopefully, is not constrained by the underdesign of servers, since each person serves themselves. As the software becomes more useful, it is easy to build and design alterate systems of spreading reputations because the system is decentralized. If I decide I want to build a system where each person whose first name begins with a vowel gets an extra 5% added to their reputation, and then add 10% to my perception of the reputation credits of any one who three people I give more than 75% reputation credit to, then I can implement that in my local assesment program without disturbing everyone who relies on my server. (Admittedly, the people who currently pay attention to who I gvie rep cred to may no longer do so, after strange credits start coming out, but thats a seperate problem.) Assume the distribution problem to be solved, in that people can now easily and reliably get the complete reputation information on an identity that interests them. What extensions to the basic system can be made to make it more useful? What will these extension do to the usability of the system? I think the most interesting extension would be to make reputations that apply only in one realm, a realm being some online community, whether that community consists of a single mailing list (Cypherpunks) or several lists, newsgroups (firewalls, bugtraq, comp.security.unix), or even a larger area, perhaps compromising mail, news, www, other interactive service. Clearly, there is some overlap between some realms (security, cypherpunks, hackers). A good reputation in one area might carry over into another, or it might lead to a negative reputation. This effect will probably arise spontaneously from the webs of interaction. Initially, I was going to propose that it be somehow formalized, but now I see that it will arise on its own accord, given a sufficiently flexible and strong system of distributing digital reputation capital on the net. This does require that negative opinions be made possible, not just low opinions. If Charlie can say "I disrespect David 90% of the time. /s/ Charlie 1 sept 94" and those opinions can spread the same way as positive ones, then most of the useful interaction between groups is possible in a decentralized, out of control sort of way. I've sort of assumed in other places that negative opinions were possible, I just wanted to explicitly state it. Another potential extension would be the addition of more varying formalized opinions than the formalistic "I respect/disrespect..." that I've been basing this on. This also has the possibility of just taking way too much work, but has the possibility, with careful design, to be a very useful tool. What if Alice can say "I think David is a fanatic. I also think David is a windbag." and she says these things in such a way that they can be automatically responded to by software? This would require a carefully chosen list of opinions that the system would support. If you had too many opinions, then the system would be worthless, because, in all probability, people would pick different descriptors, and the information would not correlate into anything useful. The list could probably be fairly short, allowing for terms like windbag, funny, fanatical, reasonable, knowledgeable, trustworthy. That would greatly expand what you could say (or hear) about someone in a simple digital format for automatic scanning and filtering. The inclusion of terms like trustworthy or reliable could act as the basis for some business. A set of 'reliable' endorsements stretching back 20 years would make me much more comfortable with a remailer business than one that sprung up yesterday and is now well respected by 300 federal agents. None of these endorsements need be formal "I'd do business with them again" statements, the objective is to give an idea of who is thought of well, and who is not. With the addition of an encrypted open books protocol then people could automatically get an idea of what businesses are stable, and liked by their customers. I've toyed with the idea of being able to rate personalities this way, which would be useful at times, since there reputations do exist in the personal world as well as the professional. But any system of personal reputations would fail, because bad mouthing someone with a digital reputation is an open act. Very few people would talk about Alice in a negative light if they know she will hear about it. And even if they do want to, there doesn't need to be an automated system to make it easier. However, this does raise the interesting idea of a private reputations system. If a group for one reason or another wants to build a reputation service that is closed; in who may add to it and who may access it, would they be able to? It would probably be fairly simple. The slander program could be modified so that no one who didn't already have some reputation capital could be discussed. Using a system that A useful bit of reputation capital can not be anonymous, although it can be pseudononymous. If it is anonymous, there is no way to give it weight. Cooperative protocols for undeniable digital signatures could probably be designed and made workable. However, I would expect that it would be far too much work to run. I prefer to design a system that requires much less effort. If you want to protect your privacy while participating, work under a nym. There you have it, an outline of a system for possibly efficient, decentralized digital reputation capital. A bunch of extensions that may or may not work. How to distribute is addressed, but needs more work, and probably a prototype. The big question in my mind is how to get people to feed enough information into it to seed the system? Once it gets started, it will run for a while on slow growth, and then explode at some random point. (Probably right after a serious design bug is discovered. :) After it explodes in terms of use, it will be self-perpetuating because of its usefulness. Please feel free to comment on what wouldn't work. How could the system be extended to make it more useful? It might be that building something would be the best way to answer these kinds of questions.