May 01, 2005
Tracking Reputation - CACert
I wrote before on how blogshares is one way to do the meta-blog tracking; a mark of a successful innovation is the springing up of "institutions" that provide cross-society services. Blogs have crossed that bridge and are now serious stuff, then. Adam, who's upset at mindless trackbacks consuming his time, points at Technorati as another version. (Also, Alacrity.)
Before I get to today's main contender, CACert, let me declare my skepticism up front. I have to say I have low hopes for some of these institutions, including Technorati.
I'd spent 10 minutes browsing, and still have little clue what it's about. Apparently it offers more of the same, ability to have a photo, more links, more ho hum. Another thing that is pretty annoying is their login procedure that insists on too many details ("what country is your blog in?" who the hell cares? what is this perverse obsession with national stereotypes?) and also asks for your login to the blog itself. What, are you nuts? Or just another smart bunch of spammers harvesting the this year's growth of veggie matter?
Reputation systems generally don't work. The reason for this is complex; and I'm not sure whether I am able to voice why it is that the "that'll never work" thing pops up so frequently. It would require a full essay I suppose. But here are some reasons.
The big reason is of course that they all require attention. This means cost. So there has to be a benefit, and a significant one at that. To pay for the cost - simple economics, that.
Yet, few of them promise much in the way of benefit. Most of them are way too small in mind to suggest why you would bother. Consider LinkedIn, which is a rather successful network where people run around and link each other in. Having linked people in you are now in contact with everyone. You can send messages. But, you can send messages anyway; all this does is allow you to search their database. If you get a hit you can send a message, but we can already do that other ways. So I conclude that the real benefit accrues to the company running it which has now amassed a huge database which it now sells for the employment purposes.
Knowing that LinkedIn is about employment market rather than your relationship needs is a thought that is obvious if you are aware of Granovetter's theory of weak links. So we have another reason why reputation systems don't work - if they are just oriented to more and more links, then they raise more and more pointless costs (unless you are after a job), as indicated by Alacrity. Perhaps the principle should be that additional links relate clearly to additional benefit.
Then, the metrics are almost always flawed. Sometimes they are completely flawed, and other times they are just so incomplete as to be laughable. I recall trying out Advogato and being asked to rate myself; so I stuck myself in the middle. Now, if it was a true reputation system, it would rate me up or down. So when I checked other people I knew, they had rated themselves at the top; which then had perpetuated and been accepted by all the other people who'd simply agreed! In one easy step, Advogato had reduced itself to a self-aggrandisation scheme in the most american of ways. IOW, useless for real tests of reputation (a complaint that has also been levelled against eBay's system). Admittedly, this is to ignore other benefits that might have been there.
To bring us to today's topic, one reputation system starting to make a mark is CACert. Now for a start this promises a benefit: free PKI certificates. They are not really free, as the time and hassle factor of PKI (more costly than any other Internet operation known to mankind!) is still there. But they are free of monetary cost. Which is quite welcome as this meant I was able to create several over the weekend and simply discard the ones that didn't work. Security how it should be - aligned to *my* needs!
(And yes, FC is now more secure thanks to CACert! switch to https and simply accept the cert 'Forever' and you'll be protected from eavesdroppers.)
The metrics at CACert are interesting. They've taken the "strong government Identity" route which is bound to make some people nervous. Since when does the government have a monopoly in good identity? As it happens, in some countries they do have good strong systems - Id cards. So as a stab at a basis they are a starting point, although if you've lived in places like I've lived in, you would know not to trust anything more than a beer's worth on a government issued Id.
CACert also has an issue with privacy and databases that I haven't quite worked out. I really couldn't give two hoots what happens to their root key, but if their identity database gets hacked, I'm looking for my shotgun; the fact that they store all this info, and have good systems in place to make it reliable means that they have to be a single point of failure in the future.
But what they do have funnily enough far and away exceeds the practices of most other CAs. This is simply because they use a points system that is based on personal member checking. (I haven't tried it out as yet, but because I've been checked out by two members, I can now start checking out others. I'll report back as things develop.)
Which means we now have a web of trust based on 'strongish Id'. This is one of those puzzle pieces that we've been waiting to arise, and it now has - OpenPGP's web of trust didn't do it because it was deliberately not mandated to use 'strong Id'. This leads to two things to look out for in the future: what are the ways in which this can be utilised (other than the free certs) and, what are the ways this web of trust can be attacked?
Posted by iang at May 1, 2005 09:23 AM
I've actually made a lot of good contacts via LinkedIn. As has my girlfriend, who is definitely not on the tech side of things (strategy consultant.) It's an easy way for her to find people in her area of interest; what we seem to forget very often, which is also my beef with your point about reputation-based systems, is that, although they're crap from the perspective of ideal technical perspective, they sort of work and muddle through. Like the Internet as a whole...
Reputation for the purposes of credit makes sense if there is value worth stealing then value is assigned to the reputation. Many people have attempted to defraud with phony credit reports which are in the end a record of reputation in regards to re-payment of money borrowed. So the extending of a line of credit is a reputation issue. Basically many folks talk about the line of credit they can draw upon rather than their cash balance because credit is the real method to determine their worth. In my own mind when I hear the figure I think of the monthly payment they are required to make on the amount stated as their line of credit. To put it simply reputation must have some bragging rights assigned to it and be desirable. So if a system of assigned value ie reputation is based on identity and past history then it must also have credit assigned to it. If reputation does not provide some leverage over the situation then the unknown situation or future event can not be addressed by people with a reputation for handling that event. So reputation can be assigned by event and identity such as a credit event.
Now take the future event of global war and the ability to trust a third party's information or a real life instance of _Curve Ball_, a German spy that provided information on Iran's Atomic weapons program. The review was conducted on the character of Curve Ball and not the information he provided in the past and its truth. So we had within the intel world people that looked at Curve Ball's moral virtues or the lack thereof and those that looked at his past informational record.
The two schemes of determining reputation conflicted and exposed a weakness across various national intelligence schemas for reputation. But if the intel community had a means of betting upon the reputation of Curve Ball the track record of the bettors might have allowed for a determination to be had without exploring every nook and cranny of his past. So the application of monetary worth to an arbitrary situation of conflicting values creates a reputation on the fly without long winded standards for reputation. It is the money that means something; as with credit, people value money and applying that or figuring out how to apply that to anything is all that matters.
The Former Admiral Poindexter wanted to create just such a system and was soundly trashed in the press. Poindexter knew that narrative discussions are meaningless when dealing with asymmetric attacks and arbitrary schemes of determining reputation. People know what they are willing to risk of value to something and the aggregated choices of people may be telling for the purposes of reputation, and allows a choice to be made and adjustments when it is wrong to be made more easily. Who really cares about other people's standards for reputation, all that matters is how much you are willing to spend on it based on a future unknown event. Now all that really needs to be done is assign money to various participants and allow them to place bets on the reputations of others.
I think what most people coming up with reputation-tracking systems forget is that reputation is not absolute. It's something that is unique to each person's vantage point; different facts of the past have different meanings and different impications on a person's reputation depending on who is interested in it. Any reputation system that presents the same "repuation" to everyone is broken.
I do believe that good reputation-tracking is possible. After all, what we do with our brains should be possible with our computers and tracking more reputations than our heads can carry can be beneficial. However, it requires that the reputation system is based purely on the user's judgement. Noone should make reputational decisions for me unless I have explicitly or implicitly assigned trust to the other guy's judgement.
This is why OpenPGP works great. While its scope is at the moment limited to the question of identity and reputation of making judgements about other people's identities, the protocol has, IMHO, a lot of potential beyond this. I have actually started setting up a system here: http://alien.epointsystem.org
In order to bring costs down, I have introduced passphrase-based keys for those who cannot be bothered with doing it the good old-fashioned two-factor way: http://pgp.epointsystem.org
The key-management app is in the writing (and so is the article to FC++, sorry for being tardy), and at that point the thing is ready for prime-time.
I think, the costs can be brought down to the point where the benefits of being able to check up on other people becomes beneficial. The technology is not there yet, but almost.
Are government-issued id cards really all that strong? CACert's web of trust is quite prone to attack, in that you can take the same (potentially forged) id to many different assurers, become an assurer yourself and start assuring bogus identities after that. You can build up your own bogus web of trust.
I do not think the use of government id really makes it more strong than some other reputation systems, especially OpenPGP. People using OpenPGP also use government id in the same way, for establishing trust between people who don't know each other personally. Thus OpenPGP's web of trust can probably be considered just as strong as CACert's.
Still, getting assured means I can issue assured certificates that last much longer than unassured certificates, which *is* a strong incentive to join the system, but only if you are a server admin.
thanks for your comments!
It's important to keep in mind what it is that is being compared with. With CACert, their identity card choice is stronger than other CAs because CACert does face-to-face meetings and checks 'government issued ID' whereas most other CAs take paperwork that is faxed to them. Faxes are easy to forge, as are notary sigs. Government Ids are a bit more of a barrier (a higher 'cojones' level required). Also, because CACert has multiple checkers, who each use different senses, in person, this can help to mitigate against the one time attack.
When it comes to OpenPGP's web of trust, it is not correct to say that people check strong Ids. People _may_ use them or maybe not. In fact there are two communities which swear opposite things, one group swears by government Ids and the other group swears not to look at them. So for any reliance on OpenPGP you can't tell a priori what a signature means, you have to resort to the signer's convention. (I for one do not check the ID, only the verbal FP.)
LinkedIn knew what it was and presented itself in that manner - it is a mechanism for economic networking. Orkut is the Internet before AOL joined - topical asynchronous chatting. However the Internet has since moved on. Orkut is dating and jobs and interests and thus nothing. LinkedIn is professional only and thus something.
Relocating to place X? You will find a relocation consultant within three links on LinkedIn. Is this guy a spammer who will demand money upfront? No. So you don't have to go thru all the dreck that comes with Monster.com
LinkedIn works because it is a reputation system in context.
In terms of secure government IDs - a fishing license is an state-issued identification document. Can I use it to board a train? Or, and speaking of train wrecks check out Real ID
Just approved. Aren't we all safer now?