![[Home]](http://meatballwiki.org/meatball.gif)
WebOfTrust
MeatballWiki | RecentChanges | Random Page | Indices | CategoriesIn CollaborativeHypermedia, users are ideally given a large degree of freedom to add, edit, and remove content. Overly strict security mechanisms not only discourage free cooperation, but can fail to protect communities from malicious users.
Systems like the WikiWikiWeb "replace technical security with social and political limits" (CliffordAdams). The WebOfTrust concept attempts to create technical security that is based on the social strength of the community.
The [epinions] community uses a combination of a web of trust and a web of distrust.
[HardSecurity] [CategoryRatingSystem] [CategoryCryptography]
How it works, using PrettyGoodPrivacy (PGP) as an example:
The PGP cryptography system allows you to sign another user's key, indicating that you know the user and have verified with them (in person or over the phone, usually) that your copy of the key matches theirs. Once you've signed a key, this means that you can trust communication encrypted with that key.
Here's the neat part: Not only can you trust that key, but you should also be able to trust other keys which that key's owner has signed. And keys which those keys have signed... and so on. Thus "trust" flows from individual to individual. You have confidence in people you trust, and also in people whom they trust, etcetera.
The system also lets you weight your trust. For example, you may have complete trust in one key's validity and its owners ability to sign other keys, but only partial trust in another key and owner. This partial trust also reflects on other keys verified by that key.
The exact mechanics are described here: http://www.rubin.ch/pgp/weboftrust.en.html
(See the TrustMetric page for discussion of what "trust" means.)
A good (fairly long) paper on webs of trust is Khare and Rifkin's Weaving a Web of Trust:
http://www.4k-associates.com/Library/trust
An important part of the WebOfTrust (and what makes it different from a TrustMetric but the distinction is not always clear) is that it measures trust for each user based on his or her choices.
Check out an idea for WebOfTrustModeration.
See also GovernmentBackedAuthentication. Arguably Government Backed Authentication is a Web Of Trust in which everyone has decided they trust the government and they don't trust anyone else. The idea (on that page) of corporate-backed authentication is another point on the spectrum of scale.
Here are some people who have created a repository for information on who trusts whom. They use this to build a WebOfTrust. Anyone can then download a library that lets your programs query the database to find out the user's trusted neighboorhood in the WebOfTrust. Their database will also calculate indirect trust between you and another user by traversing the WebOfTrust.
- The project seems to be dead. [Here] is the last available version of the page from the WayBackMachine?.
For example, there is a program on the site that lets an Apache server restrict access to web pages to people in your trust neighborhood.
Link to the Web Of Trust For Email wiki at the Anti Spam Research Group web site:
http://www.shaftek.org/wiki/wiki.pl?Web_Of_Trust_For_Email