TOC 
Nine by NineG. Klyne
 Nine by Nine
 October 4, 2004

Survey of Papers from the iTrust 2003 and 2004 Trust Management Conferences

Abstract

This memo contains a survey of the main papers from the first two iTrust conferences on Trust Management, held in 2003 and 2004.

© 2004, Nine by Nine

$Id: iTrust-survey.html,v 1.1 2004/10/19 14:42:05 graham Exp $



 TOC 

Table of Contents




 TOC 

1. Introduction

The iTrust conferences on Trust Management [1][2] have been convened to bring together contributions from researchers into Trust coming from a variety of disciplines, including computing, economics, law, sociology, philosophy. This note is a survey of papers from the first two such conferences, which attempts to identify and draw out the multidisplinary aspect of the contributions.

Paper summaries and topic categorizations are highly personal and subjective.



 TOC 

2. Conference papers survey

This section summarizes each of the conference papers. Each paper is assigned an identifier of the form lncsnnnn_pp_pp, which is derived from its appearance in the Springer LNCS publication series:

nnnn
is the LNCS volume number (2692 for the 2003 conference and 2995 for the 2004 conference).
pp_pp
is derived from the page numbers within the published conference proceedings.

2.1 Architecture and Algorithms for a Distributed Reputation System

Identifier:
lncs2692_1_16
Author(s):
Michael Kinateder, Kurt Rothermel.
Trust definition(s):
A subjective expectation an agent has about another's future behaviour based on the history of their encounters.
Categories:
computation, reputation.

Proposes a model and algorithm for a distributed reputation system based on a formalized model of trust.

The system model consists of a number of agents that act as proxies for users of the reputation system. These agents may form network neighborhoods that pool information about a given trust category. The trust categories themselves may be relates by a graph which allows for one category of trust having impact on another.

Each agent's trust in another agent is modelled as a scalar trust value (0..1), with no experience being treated as no trust, and a confidence vector containing information about the experiences on which the trust is based, and a blacklist flag that is set to indicate that recommendations from the corresponding agent are to be disregarded.

Each agent tracks its own list of recommendations, and also those recommendations received from other agents, providing a basis for evaluating (hypertext-like) a 'hub' and 'authority' rating for each agent.

A recommendation consists of: the identity of that being rated (including its category), a rating value (which is an arbitrary simple or complex value), the identity of the recommender, and a rating confidence value.

2.2 Regularity-Based Trust in Cyberspace

Identifier:
lncs2692_17_32
Author(s):
Naftaly H. Minsky.
Trust definition(s):
(None given).
Categories:
philosophy, computation.

This paper starts with a philispohical discussion of trust, identifying two kinds of trust: familiarity-based and regularily-based.

It then proceeds to describe "law governed interactions" (LGI), and an architecture for a distributed trusted third party arrangement that can be used to ensure that the rules of LGI are followed by their participants. A hypothetical case study of e-cash payments for services is used to illustrate these ideas.

Finally, an claim is made that the architecture described allows interactions facilitated by regularity-based trust to be actioned, but depending on a seed element of familiarity-based trust.

2.3 A Trust Matrix Model for Electronic Commerce

Identifier:
lncs2692_33_45
Author(s):
Yao-Hua Tan.
Trust definition(s):
(None given, but implicitly related to willingness to make a decision that carries risk dependent on the trusted party's behaviour).
Categories:
economics.

This paper examines the trust concerns facing business concerns having no previous interaction with regard to entering into a e-commerce transaction.

The trust concerns are analysed into a matrix, one of whose axes concerns kinds of reason that may cause a party to be trusting (Social signs, experience, understanding, community), and the other concerning levels of business activity within which trust must be established (communication, tranasation and regulation, relationship).

In each case, trust is further analysed as party trust (the extent to which a proposed trade partner is trusted) and control trust (the extent to which a satisfactory outcome can be ensured in spite of how the trade partner may behave).

Two cases are analyzed according to this matrix, showing very different criteria that may be used in pracice to establish first-trade trust.

2.4 Hardware Security Appliances for Trust

Identifier:
lncs2692_46_58
Author(s):
Adrian Baldwin, Simon Shiu.
Trust definition(s):
Subjective belief about a system or entity in a particular context.
Categories:
computation.

This paper analyses the trust relationships in an e-commerce outsourcing scenario, exposing a number of implicit as well as explicit elements of trust.

It then goes on to discuss how hardware security modules can be deployed to provide a finer granularity of control over the exercise of trust required to achieve some goal. The aggregate trust to be exercised is not changed, but the hardware modules allow the trust to be vested across a greater number of trustees (who are assumed not to cullude), thus reducing the exposure to default by any one party.

This paper discusses trust issues very much at the level of system requirements, rather than dealing with specific architectural or algorithmic issues.

2.5 Managing Trust and Reputation in the XenoServer open platform

Identifier:
lncs2692_59_74
Author(s):
Boris Dragovic, Steven Hand, Tim Harris, Evangelos Kotsovinos, Andrew Twigg.
Trust definition(s):
(No complete definition; emphasis on subjectivity and context dependence; impilcitly related to decision making inthe face of risk).
Categories:
computation, reputation.

This paper describes the architecture of the XenoServer/XenoTrust platform, and says relatively little about the specific nature or modelling of trust. Key trust management ideas are: (a) some form of "authoritative" trust, especially with respect to identify, is needed to "bootstrap" the system, and (b) participants may all have different views about what is important, and differing requirements about how to evaluate trust from advertised statements.

There is a clear distinction between "authoritative" vs "reputation-based" trust: the former is Boolean, and presumed to be absoluytely determined by some out-of-band mechanism; the latter is a continuous value based on published statements by participants in the overall system.

No single standard of behaviour or trust assignment model: separates trust management system architecture from details of trust. Proposes the use of a functional language for participants to describe rules for evaluating trust from published statements.

2.6 Trust-Based Protection of Software Component Users and Designers

Identifier:
lncs2692_75_90
Author(s):
Peter Herrmann.
Trust definition(s):
The user's [of a software component] belief or disbelief in the [security of] the particular component [and] their uncertainty about it.
Categories:
computation, reputation.

This paper focuses on the relatively limited application of trust in the context of security of software built from independently developed components. (Although limited, this may have great importance to areas such as web service composition.) It describes the architecture and algorithms of of a component software trust information service that may be used to aid the selection of reliable compoents. Specifcally, it addresses the use of reputation and trust analysis to avoid possible problems with incorrect reports of security errors in a component.

The paper presumes the use of a "security wrapper" to monitor execution of a software component with respect to its contractural obligations (and also execution of an application that uses that component). A form of Josang's subjective logic metric is used to assess the component's reliability, and components which over time are shown to be reliable may be excused the overhead of security wrapper monitoring for every use.

Reports of correctness of problems with a component are compared with the security wrapper reports and used to deruve a "recommendation trust" value for the reporter.

2.7 Trust Management Tools for Internet Applications

Identifier:
lncs2692_91_107
Author(s):
Tyrone Grandison, Morris Sloman.
Trust definition(s):
The quantified belief by a trustor with respect to the competence, honesty, security and dependability of a trustee within a specific context.
Trust management: the activity of collecting, codifying, analysing, and presenting evidence relating to competence, honesty, security or dependability with the purpose of making assessments and decisions regarding trust relationships for Internet applications.
Categories:
computation.

This paper describes the SULTAN trust management toolkit for specifying, analysing and monitoring trust specifications.

SULTAN has four main components:

  1. a specification editor, based on a Prolog-like language for specifying trust and recommendation. The definition of trust is closely reflected in trust expressions,
  2. a trust analysis tool, which allows various Prolog-like queries to be evaluated against a stored trust specification,
  3. a risk service, used to retrieve and analyze risk information, and
  4. a monitoring service.

2.8 Trust-Based Filtering for Augmented Reality

Identifier:
lncs2692_108-122
Author(s):
David Ingram.
Trust definition(s):
A quantified predictor of [a] principal's behaviour based on evidence of previous interactions.
Categories:
computation, reputation.

This paper describes the design and algorithms for a system to filter comments about some subject based on trust of those principals making the comments. Although the application is quite specific, the paper identifies recommendation system concerns in a way that could apply in a variety of applications. The application concerned if particularly focused on distribution, scalability and comments that are not directed toward a known receiving principal, and identifies a number of simplifiying assumptions used in its particular scenario.

Section 3 has a useful, crisp summary of a range of issues to be considered by recommendation-based trust systems.

2.9 Towards the Intimate Trust Advisor

Identifier:
lncs2692_123-135
Author(s):
Piotr Cofta, Stephen Crane.
Trust definition(s):
Relational Trust: one's expectation that the outcome of the other's unobservable or incomprehensible behaviour is favourable.
Computational Trust: one's supported expectation that can be expressed as a computationally effective function that the outcome of the other's unsupervised behaviour is favourable according to one's understanding.
Categories:
computation.

This paper describes the design for a system that will be used to explore whether inter-personal (subjective) trust can be replaced by computed trust, with particular reference to the environment of mobile and supporting information processing resources. The specific focus of this experiment is the implementation of a personal (intimate) trust advisor that can be queried from and concerning a variety of scenarios.

A number of use-cases are considered with respect to a specified reference architecture, combining hand-held facilities, personal computing facilities and a fixed supporting infrastructure.

2.10 Trusting Collaboration in Global Computing Systems

Identifier:
lncs2692_136-149
Author(s):
Colin English, Waleed Wagealla, Paddy Nixon, Sotirios Terzis, Helen Lowe, Andrew McGettrick.
Trust definition(s):
The mechanism [used] to cope with the inherrent risks when dealing with only partial information about people and the environment.
Categories:
computation.

This paper describes a trust management system architecture for a mobile computing environment in which parties do not have complete information about each other or the environment within which transactions are conducted.

The design is built around a trust/collaboration life cycle, including the following phases:
(a) collaboration request analyser,
(b) entity recognition mechanism,
(c) trust formation
(d) trust exploitation (risk assessment using trust information),
(e) collaboration monitoring, and
(f) collaboration evaluation (updating stored trust values; also trust evolution). The trust exploitation, trust formation, trust update and trust evolution functions are handled within a "trust box" component.

2.11 Trust, Reliance, Good Faith, and the Law

Identifier:
lncs2692_150_164
Author(s):
Daniela Memmo, Giovanni Sartor, Gioacchino Quadri di Cardano.
Trust definition(s):
Trust consisting of Core Trust and Reliance: Core trust: the truster (1) has a certain goal, (2) believes the trustee can bring about that goal (competence), (3) believes the trustee is willing to bring about that goal (disposition);
Reliance: the truster (4) believes he needs to rely on the trustee to bring about the goal (dependence), (5) believes the trustee's action will achieve the goal [competence] .
Categories:
legal.

This paper explores interactions between law and (subjective) trust, with emphasis on the idea that these are complementary, not alternatative, mechanisms for achieving desirable outcomes in a transaction.

Law serves to increase a trustee's disposition to trusting behaviour, and to reduce the risk to the truster from default, but does not completely displace these matters: law is only one component in establishing the disposition belief element of trust. Conversely, laws may come about with the purpose of protecting the expectations derived from trust.

The paper also explores situations in which the expected outcome of reasonable trust may be protected by law, even when there is no purely legal basis (e.g. contract) to enforce that outcome. [This aspect of the paper is quite heavily based in Italian law.]

2.12 Social capital, Community Trust and E-government Services

Identifier:
lncs2692_165_178
Author(s):
Michael Grimsley, Anthony Meeham, Geoff Green, Bernard Stafford.
Trust definition(s):
(None given; but in part the paper explores the notion of trust as social capital).
Categories:
sociology, statistics.

This paper describes a large-scale community survey that explores the relationship between trust within the community and perceptions of the quality of government services.

The experiment was design to test the ideas that there are distinct identifiable forms of trust that may be observed within a community and its institutions (Horizontal, between community members and Vertical between community members and the institutions that serve them. The latter may be subdivided into Input and Output trust). Evidence was found supporting the existence of all these forms of trust.

The results of the survey lead to a proposed Trust Cycle describing the propagation of trust within a community.

The results of the survey also show a clear link between community trust levels and information provision by institutions. Some implications for e-government information systems are explored.

2.13 Simulating the Effect of Reputation Systems on E-markets

Identifier:
lncs2692_179_194
Author(s):
Audun Josang, Shane Hird, Eric Faccer.
Trust definition(s):
(None given).
Categories:
economics, statistics, reputation.

This paper describes a simulation of the effect of a reputation system on honesty in an e-market. The reputation system used calculates a reputation based on observed behaviour and a probability estimate based on the beta-distribution.

The simulation indicates that the reputation system does indeed have an affect on the market and an improvement in market honesty is seen where both seller and buyer behaviour evolves following some simple rules. It is noted that keeping reputation information indefinitely is not helpful, and better overall market honesty is achieved if older reputation data gives way to more recent data.

This describes an arbitrary simulation, and no attempt is made to formally verify the particular models used, particularly with respect to evolution of seller and buyer behaviour.

2.14 Integrating Trustfulness and Decision Using Fuzzy Cognitive Maps

Identifier:
lncs2692_195_210
Author(s):
Christiano Castelfranchi, Rino Falcone, Giovanni Pezzulo.
Trust definition(s):
(None given).
Categories:
psychology.

This paper uses a technique called "Fuzzy Cognitive Maps" to construct a pseudo-quantitative model of trust, taking into account a number of cognitive factors such as the subject's belief in the trusted agent's ability, availability, potential for harm, and external factors such as opportunity for good, potential danger from non-perormance. (I say pseudo-quantitative, because it's not clear to me what is actually being measured.)

The technique described is used to evaluate some hypothetical scenarios related to healthcare assessment and treatment provided by a human doctor and an automated treatment machine.

The contribution of this paper seems to be an illustration of how diverse cognitive assessments may combine to create a complex composite assessment of trust in an agent for some given situation, affected by general and specific knowledge of the tusted agent, beliefs about the agent and possible outcomes, emotional disposition, and other factors.

2.15 Methodology to Bridge Different Domains of Trust in Mobile Communications

Identifier:
lncs2692_211_224
Author(s):
Zheng Yang, Piotr Cofta.
Trust definition(s):
The confidence of an entity on another entity based on the expectation that the other entity will perform a particular action important to the trustor, irrespective of the ability to monitor or control that other entity.
Categories:
computation.

This paper describes a methodology for building trust across a distributed system by analysing the system into trust domains, and coopting or creating components or new domains to act as trust bridges between the domains.

The methodology is illustrated by use-cases related to mobile communications.

2.16 A Subjective Approach to Routing in P2P and Ad Hoc Networks

Identifier:
lncs2692_225_238
Author(s):
Andrew Twigg.
Trust definition(s):
Trust values: elements of a complete lattice (T,<=).
Categories:
computation, reputation, statistics.

Describes a routing algorithm for use in peer-to-peer and adhoc networks that uses estimates of component reliability (trust) in selecting a route. These estimates are built up from observations of success and failure to transfer packets over specified routes. The routing algorithm is asserted to function successfully in the face of malicious and colluding network components.

The trust values are based on Josang's subjective logic, with an ordering function based on a corresponding expected probability of success.

The paper also explores use of the statistical model constructed to minimize risk (e.g. expected transmission energy costs in a wireless network).

An interesting feature of this paper is that it describes a complete, self-contained application that makes use of models and computations of trust.

2.17 Trust Propagation in Small Worlds

Identifier:
lncs2692_239_254
Author(s):
Elizabeth Gray, Jean-Marc Seigneur, Yong Chen, Christian Jensen.
Trust definition(s):
(No definition given; implicitly used as modifier of risk).
Categories:
computation, sociology.

This paper surveys the sociology research into the "small world" concept, emanating from seminal work by Stanley Milgram. It then goes on to describe the use of results from this work in the design of a system that presumes small-world effects to facilitate the propagation of trust within a larger community, thus supporting the ad-hoc formation of small groups within which members are susceptible to behaviour of other group members.

The ideas are illustrated by an example of ad hoc formation of a blackjack game with members who may or may not have direct acquaintance, but whose good behaviour may be indicated by recommendations from other parties outside the immediate group.

This leads to a justification for the SECURE trust-based security architecture, whose key elements are entity recognition, trust management, risk assessment and admission control.

2.18 Enforcing Collaboration in Peer-to-Peer Routing Services

Identifier:
lncs2692_255_270
Author(s):
Tim Moreton, Andrew Twigg.
Trust definition(s):
Trust values: elements of a complete lattice (T,<=).
Categories:
computation, reputation, economics, statistics.

Describes an algorithm for distributed route discovery in peer-to-peer networks, with built-in mechanisms to avoid "free-riding" or "subversion" of the routing service by non-coperative nodes.

The algorithm takes into account a computed value of trust for each node, with respect to how well it participates in packet forwarding, and also concerning the quality of recommendations it provides about network routing properties.

The result is that each node has a strong incentive to provide accurate routing information if it wishes to take advantage of the distributed routing infrastructure.

2.19 Statistical Trustability (Conceptual Work)

Identifier:
lncs2692_271_274
Author(s):
Robert Kalcklosch, Klaus Herrmann.
Trust definition(s):
A relation between entities that ties them together to form a complex network.
Categories:
computation, reputation.

This short paper discusses the concept of using a statistically based trust measure calculated from observed behaviour, and communicated between participants in the network. The paper raises a number of issues that such a system must address, without offering any specific solutions.

2.20 An Introduction to Trust Negotiation

Identifier:
lncs2692_275_283
Author(s):
Marianne Winslette.
Trust definition(s):
(None given).
Categories:
computation, privacy.

This paper explores the translation of real-world transaction systems (e.g. credit card purchase) into the digital domain. It explores the exchanges of information that may be needed, taking account of privacy and disclosure concerns, in order to complete a transaction. Another example considered is access to medical records.

This work is aiming towards a policy description language for conducting negotiations in which trust must be established in order to complete a transaction.

2.21 Experience with the Keynote Trust Management System: Applications and Future Directions

Identifier:
lncs2692_284_300
Author(s):
Matt Blaze, John Ioannidis, Angelos D. Keromytis.
Trust definition(s):
(None given, but in this context 'Trust' might be read as 'Authorization'. There is no subjective component.).
Categories:
computation.

This paper reviews seminal work on the trust management systems, PolicyMaker and KeyNote. These are called "Trust Management" systems, but it might be more accurate to call them "Authorization Decision" systems. The fundamental departure in these systems from earlier work is that authorization is evaluated directly from given credentials with respect to a specified policy, where earlier systems would first authentciate a request, then test to see if the identified requester was authorized to perform some action. These systems unify the concepts of security policy, credentials, access control and authorization. Also implicit in the design of these systems is that the authorization decision component is independent of any particular application.

The paper goes on to outline a number of areas in which KeyNote has been applied (which are very wide-ranging), and finally discusses some areas where the KeyNote policy description language has been found lacking.

2.22 Fidelis: A Policy-Driven Trust Management Framework

Identifier:
lncs2692_301_317
Author(s):
Walt Teh-Ming Yao.
Trust definition(s):
A set of assertions that a principal holds with regard to another principal.
Categories:
computation.

Fidelis is another authorization decision system, along the lines of PolicyMaker/KeyNote.

The key difference between Fidelis and the other "trust management" systems is the Fidelis restricts itself to "simple credentials", where other systems use "rich credentials", the latter being potentially powerful predicates similar to those that appear within policy statements. A claimed advantage of "simple credentials" is a cleaner separation within the system between credentials and policies, allowing policies to be strictly local to each participating node

2.23 Implementation of an Agent-Oriented Trust Management Infrastructure Based on a Hybrid PKI Model

Identifier:
lncs2692_318_331
Author(s):
Yucel Karabulut.
Trust definition(s):
(None given, but in this context 'Trust' might be read as 'Authorization'. There is no subjective component.).
Categories:
computation.

This paper describes an approach to security and authorization using a fusion of traditional X.509 identity-based certificates and SPKI-style direct authority assertions. Much of the paper is a fairly detailed description of a software system that implements this approach.

2.24 Authenticated Dictionaries for Fresh Attribute Credentials

Identifier:
lncs2692_332_347
Author(s):
Michael T. Goodrich, Michael Shin, Roberto Tamassia, William H. Winsborough.
Trust definition(s):
(None given).
Categories:
computation.

This paper is an attack on the certificate revocation problem, and similar situations in which signed information must be propagated in timely fashion via a third party. It has little to do with trust, beyond not requiring that the party distributing the information need not be completely trusted: any failure on their part to distribute updates in timely fashion can can be detected by the original suppliers of certified information.

The technique described builds upon existing work on authenticated dictionaries, augmented by having a mutually-signed "basis" value distributed with the result of any query for data from the dictionary.

2.25 Addressing the Data Problem: The Legal Framework Governing Forensics in an Online Environment

Identifier:
lncs2995_1_15
Author(s):
Ian Walden.
Trust definition(s):
(None given).
Categories:
legal.

In a democratic society, the interference caused by a criminal investigation must be justifiable and proportionate to the needs of the society. The growth of network-based crime has raised difficult issues in prosecuting such crime, and the rights of data users.

This paper discusses some of the problems raised by data for law enforcement agencies investigating network-based crime. It examines recent legislative measures in UK and other jurisdictions to address some of these problems of criminal procedure and the extent to which such measures achieve an appropriate balance between inevitably conflicting interests.

The nature of digital information makes it extremely diffiult to ensure that differing types of information (e.g. signalling and content) continue to be subject to distinct legal treatment. Our inability to practicably distinguish potentially erodes the protections granted to individuals by law. To address this data problem is likely to require a variety of approaches, both legal and procedural.

2.26 KAoS: A Policy and Domain Services Framework for Grid Computing and Semantic Web Services

Identifier:
lncs2995_16_26
Author(s):
Andrzej Uszok, Jeffrey M. Bradshaw, Renia Jeffers.
Trust definition(s):
(None given).
Categories:
computation.

KAoS is a policy and domain services framework based on W3C's Web Ontology Language (OWL). KAos uses OWL to create rich descriptions of policies, domains and other managed entities, which can be used as a basis for automated reaosning about those entities. The richness of information can capture essential ingredients upon which trust may be based.

It is envisaged that ongoing work in the area of Semantic Web Services will enhance the systm capabilities with respect to trust negotiation and management.

This paper describes the key architectural components of KAoS, including ontologies, policy representation, policy management and life-cycle. It also indicates anumber of applications in which KAoS has been used.

2.27 W5: The Five W's of the World Wide Web

Identifier:
lncs2995_27-32
Author(s):
Massimo Marchiori.
Trust definition(s):
Trust Scenario: (T,R,U,S,t), where: T is a trust property, t is a computable test property, U is a universe of entities, R is a probability that t implies T S is a mapping from U to [0,1] indicating that the subjective probability for an entity e in U that t implies T is S(e) .
Categories:
computation.

This paper discusses the role of deception in the World Wide Web, and some of the means by which it can be reduced (thus enhancing the basis of trust in WWW).

Simplistic, low-cost interpretations of the Web leave users exposed to many foprms of deception. But by taking account of other factors (a wider range of W's: What, Where, Who, When, Why), opportunities for deception can be mitigated, but at some cost.

2.28 A Case for Evidence-Aware Distributed Reputation Systems; Overcoming the Limitatioins of Plausibility Consioderations

Identifier:
lncs2995_33_47
Author(s):
Philipp Obreiter.
Trust definition(s):
A substitute for complete information regarding the entities that participate in [open artificial] societies.
Categories:
computation, reputation.

This paper examines the role of plausibility in reputation systems, and the potential for pollution of reputations by untruthful recommendations and failure to disseminate recommendations. It asserts that current systems rely on a notion of plausibility in order to assess the likely accuracy of a recommendation, and describes some scenarios in which this may lead to an inaccurate assessment of a party's reliability.

It then proposes a system of evidences, based on non-repudiable statements (cryptographically assured), that can be used to overcome the limitations of using plausibility. Using such evidence, a party can self-recommend, detect untruthful recommendations about themselves, and may be able to refute an incorrect recommendation.

2.29 Enhanced Reputation Mechanism for Mobile Ad Hoc Networks

Identifier:
lncs2995_48_62
Author(s):
Jinshan Liu, Valerie Issarny.
Trust definition(s):
A particular level of the subjective probability with which an agent assesses that another agent or group of agents will perform a particular action, both before he can monotor such action (or independently of his capacity ever to be able to monitor it) and in a context in which it affects his own action.
Reputation: a perception regarding [an agent's] behaviour norms, which is held by other agents, based on experiences and observation of its past actions.
Categories:
computation, reputation.

This paper gives a fairly detailed description of the design of a reputation system for use in mobile ad hoc networks, in which there is no central trusted component for collecting and distributing reputation information. The design clearly separated recommendation performance of an agent from its service performance, and reputation with respect of these concepts is build up seprately. The design incorporates features to mitigate free-riding, defamation and collusion attacks on the system.

The design is supported by experiments that simulate a mix of agents that are trustworthy or not with regard to service performance and recommendations given.

2.30 Pinocchio: Incentives for Honest Participation in Distributed Trust Management

Identifier:
lncs2995_63_77
Author(s):
Alberto Fernandes, Evangelos Kotsovinos, Sven Ostring, Boris Dragovic.
Trust definition(s):
(None given).
Categories:
computation, economics, statistics, reputation.

Pinocchio is a framework for awarding incentives for honest participation in a distributed trust management infrastructure. There are a number of ways in which participants may try to cheat in such systems: Pinocchio concentrates on one such attack, free-riding, in which participants fail to provide recommendations, or provide recommendations that are not based on actual experience (this being assuymed to be cheaper than providing real; recommendations).

Using a statistical analysis of the recommendations from multiple parties, the system attempts to distinguish those who are offering real recommendations from those who are offering random or incorrect recommendations. Participants who are judged not to offer true recommendations are penalized by reducing their access to the system.

The theoretical work is supported by some simulations, but further experimental work is needed to test whether the ideas work out in practice.

2.31 History-Based Signature or How to Trust Anonymous Documents

Identifier:
lncs2995_78_92
Author(s):
Laurent Bussard, Refik Molva, Yves Roudier.
Trust definition(s):
(None given).
Categories:
computation, privacy.

This paper describes a cryptographic signature technique for creating an anonymous, non-transferrable, history-based signature. Such a signature can be used to prove the signer's context (e.g. location, time, group membership, recommendations) without disclosing the signer's identity or pseudonym. It is claimed that this type of signature can be used to build a degree of trust in anonymous documents.

The signature combines from a certifying authority (who confirms the signer's posession of a secret) and a witness (who confirms some aspect of the signer's context).

The crytopgraphic signature is based on an adaptation of existing "proof of knowledge" schemes.

2.32 Trading Privacy for Trust

Identifier:
lncs2995_93_107
Author(s):
Jean-Marc Seigneur, Christian Damsgaard Jensen.
Trust definition(s):
A complex predictor of [an] entity's future behaviour based on past evidence.
Categories:
computation, privacy.

This paper explores the relation between trust and privacy. To the extent that trust is based on knowledge, increased trust comes at the cost of reduced privacy. A principal may be prepared to sacrifice privacy for trust if sufficient benefit is achieved as a result of the increased trust.

The proposed framework is based on using pseudonyms, which are the subjects of evidence from which trust may be assessed. A single principal may have an arbitrary number of different pseudonyms. In some cases it may be necessary to link psudonyms to create an increased level of trust for a transaction. But such a framework may also suffer from requests for information that are not needed to establish the needed level of trust and, once lost, privacy ios very hard or impossible to regain.

This paper discusses a number of issues related to this framework, and proposes models which can be used to evaluate the trade-off between trust and privacy.

2.33 Supporting Privacy in Decentralized Additive Reputation Systems

Identifier:
lncs2995_108_119
Author(s):
Elan Pavlov, Jeffrey S. RosenSchein, Zvi Topol.
Trust definition(s):
(None given).
Categories:
computation, reputation, privacy.

This paper explores the problem of protecting the privacy of recommendations in a distributed reputation system that combines multiple recommendations using addition. The challenge is to prevent disclosure of any one recommender's rating while provding the final combined result.

The paper describes three protocols for achieving this with varying degrees of resistance to collusion between dishonest agents. The most resistant protocol presented makes use of zero knowledge proofs.

2.34 Engineering Trust Based Collaborations in a Global Computing Environment

Identifier:
lncs2995_120_134
Author(s):
Colin English, Sotiris Terzis, Waleed Wagealla.
Trust definition(s):
Trust is used as a mechanism for managing risk and learning from past interactions in order to reduce risk exposure.
Categories:
computation.

This paper explores the relationship between risk and trust, and describes a franework within which they may be combined when making trusting decisions. This framework is tested in the context of two scenarios involving distribution of private information and e-cash. The paper is an attempt to "chart the space" of interaction between trust and risk, rather than to engineer a particular solution.

Conclusions include: the relationship (mapping) between risk and trust is a central concern and the system needs to explicitly deal with uncertainty with respect to the elements of risk.

2.35 Analysing the Relationship between Risk and Trust

Identifier:
lncs2995_135_145
Author(s):
Audun Josang, Stephane Lo Presti.
Trust definition(s):
The extent to which one party is willing to depend on somebody, or something, in a given situation with a feeling of relative security, even though negative consequences are possible.
Categories:
computation, economics.

This paper analyses the relationship between risk and trust, combining the classical statistical notion of expected outcome with a decision maker's attitude to risk. This approach explains decisions that might be considered irrational when assessed in terms of expected outcome (e.g. purchase of lottery ticket).

Analysys of factors affecting such decisions leads to the idea of a "decision surface" which reflects one's propensity to make a decision in terms of amount of principal to be invested, possible gain and probability of success. An example decision surface function is offered, which explains a numbered of decision observed behaviours commonly observed in real life.

2.36 Using Risk Analysis to Assess User Trust - A Net Bank Scenario

Identifier:
lncs2995_146_160
Author(s):
Gyrd Braendeland, Ketil Stolen.
Trust definition(s):
The willingness of a party to be vulnerable to the actions of another party based on the expectation that the other perform a particular action important to the trustor, irrespective of the ability to monitor or control that other party.
The proposed approach defines user trust as an asset [of the trustee].
Categories:
computation, sociology, psychology, economics.

The paper starts out by exploring some of the psychological and social contributors to trust. It then reviews the CORAS methodology for risk analysis, which analyses system vulnerabilities and unwanted incidents with regard to identified assets [what are these?], and uses a specialization of UML to describe the process.

The paper then sketches an application of the CORAS model-based risk analysis method to an online banking scenario, focusing on elements of the system as they relate to the trust a banking user may place on the online baking service. The risk analysis examines the assets of the bank who owns the online service, for whom users' trust is manifested in how much they are prepared to invest, which in turn influences the bank's market share. Thus user trust may be viewed as an asset of the Bank. This asset can be decomposed into more specialized assets in this case, using Egger's model of trust). From this analysis, following the CORAS method:

This method gives rise to a process of risk analysis targetting user trust that is similar to risk analysis in the security domain, but taking account of the phsychological, social, economic and legal aspects of trust.

2.37 E-notebook Middleware for Accountability and Reputation Based Trust in Distributed Data Sharing Communities

Identifier:
lncs2995_161_175
Author(s):
Paul Ruth, Dongyan Xu, Bharat Bhargava, Fred Regnier.
Trust definition(s):
(None given).
Categories:
computation.

Discusses the importance of trust and reputation in data sharing communities (e.g. scientific research) where one party's performance (hence reputatation) may be subject to the accuracy of another party's data upon which their work is based.

The paper describes a system for improving the reliance that may be placed on results that are derived from multiple data sets from different providers, some of which may themselves be derived from a combination of sources. The system essentially provides data provenance information, backed to by digital signatures, combined with a reputation system that can bne used to form turst views for some data or data provider.

2.38 Requirements Engineering Meets Trust Management; Model, Methodology and Reasoning

Identifier:
lncs2995_176_190
Author(s):
Paolo Giorgini, Fabio Massacci, John Mylopoulos, Nicola Zannone.
Trust definition(s):
(None given).
Categories:
computation.

This paper introduces a formal model and methodology for analyzing trust as part of the software requirements engineering process. The methodology is proposed as an enhancement of TROPOS, a software agent development methodology.

This methodology can be used to support automatic verification of security requirements and trust relationships against specified functional dependencies.

2.39 Towards Dynamic Security Perimeters for Virtual Collaborative Networks

Identifier:
lncs2995_191_205
Author(s):
Ivan Djordjevic, Theo Dimitrakos.
Trust definition(s):
(None given).
Categories:
computation.

This paper addresses the issues of maintaining security in an evironment where applications may draw upon the services of several subsystems, which may be formed and re-formed dynamically as needed to address the needs of different applications. It describes an architecture for maintaining security in such an environment.

The architecture includes the following elements:

Communication between these components is supported by public key certificates and attribute certificates.

An additional level of security is provided by performance monitoring and assessment, which in turn augments the trust assessment initially provided by digital certificates.

2.40 Human Experiments in Trust Dynamics

Identifier:
lncs2995_206_220
Author(s):
Catholijn M. Jonker, Joost J.P. Schalken, Jan Theeuwes, Jan Treur.
Trust definition(s):
(Several surveyed).
Categories:
psychology, sociology, computation.

This paper starts by surveying some definitions and descriptions of trust, both with respect to trust being used as a basis for decision making, and also in terms of the factors that affect how trust is gained or lost. No definition is singled out.

The paper then goes on to describe an experiment, conducted with real human subjects, that aims to provide observational evidence related to the formation and exercise of trust. This experiment serves to verify some of the elements of trust that have been previosuly proposed without empirical verification.

2.41 Using Trust in Recommender Systems: An Experimental Analysis

Identifier:
lncs2995_221_235
Author(s):
Paolo Massa, Bobby Bhattachargee.
Trust definition(s):
Trust statement: an explicit assertion that a user trusts another user.
Categories:
computation.

This paper starts with a brief survey of recommender systems, noting two main kinds: content-based and those using collaborative filtering (CF). The former is not considered to be scalable and the paper focuses on the latter.

A number of problems associated with CF-based recommender systems are described (sparseness of data for computing user similarity, lack of usable data for new system users, attacks on the integrity of recommendations offered, lack of user control over recommendations given). The existence of these problems is confirmed by analysis of data from a real large-scale recommender system.

The paper goes on to show that, using the same data, a system that uses directly expressed or inferred trust values can mitigate all of the problems noted. In this scenario, a trust value us used as an alternative to a computed user similarity rating to weight the ratings of other users when preparing a recommendation.

2.42 Modeling Controls for Dynamic Value Exchanges in Virtual Organizations

Identifier:
lncs2995_236_250
Author(s):
Yao-Hua Tan, Walter Thoen, Yaap Gordijn.
Trust definition(s):
The willingness of a party to be vulnerable to the actions of another party based on the expectation that the other perform a particular action important to the trustor, irrespective of the ability to monitor or control that other party.
Categories:
computation, economics, legal.

This paper starts by discussing the design and life-cycle of virtual organizations, noting that their operations are governed by contractual and social norms, the latter including trust. The contractual norms are easier to vary than the social norms.

It then introduces the E3-value methodology, a conceptual modelling tool for designing and analyzing the value proposition and value exchanges between members of a virtual organization. Software tools allow these conceptual models to be analyzed to ensure the proposed value exchanges are profitable for all the participants involved. In addition to the primary value exchanges, there may be others needed in order to complete a transaction ("doing tasks") or to monitor a transaction ("control tasks"). Control tasks may be needed to overcome situations of insufficient trust.

The E3-value methodology is enhanced with features that be used to model control elements, including trust, using elements from coloured Petri nets. Analysis of the value transfers and available trust can show where additional control mechanisms may be needed to overcome a lack of trust necessary to expect a successful conclusion of a transaction.

2.43 Analyzing Correlation between Trust and User Similarity in Online Communities

Identifier:
lncs2995_251_265
Author(s):
Cai-Nicolas Ziegler, Georg Lausen.
Trust definition(s):
(None given).
Categories:
computation, statistics, sociology.

This paper starts with an observation that many recommender assume a correspondence between trust and similarity between users of the system, which is not substantiated by empricial observation.

It goes on to describe an experiment to compare similarity between users of a recommender system with expressed trust. Using public data from an online recommender system (All Consuming), user similarity measures are estimated from their expressed interest in topics (the data being too sparse for a calculation based on similarity of actual recommendations). This is compared statistically with explicit expressions of trust, and the proposed correspondence is indeed found to be present (though the level of significance of this correspondence is not clear).

2.44 Trust Development and Management in Virtual Communities

Identifier:
lncs2995_266_276
Author(s):
Tanko Ishaya, Darren P. Mundy.
Trust definition(s):
(None given, but several surveyed).
Categories:
computation, sociology, psychology, legal, economics.

The paper starts with a brief survey of trust and its definitions, noting that there are many different perceptions that make it extremely difficult to navigate the various strands of work. Theories tend to cluster around two main ideas: rational (based on calculations of cost-benefit analysis), and social (based on moral duty toward a collective good).

Developing and maintaining trust online is not a straightforward task. The absence of face-to-face contact makes the sources of trust in virtual communities fundamentally different. This paper discusses the potential benfits of and barriers to the introduction of trust in virtual communities, touching on sociological, psychological, technological, legal and economic issues. High-level conceptual methods for building and managing a trusted virtual community are proposed.

2.45 Managing Internet-Mediated Community Trust Relations

Identifier:
lncs2995_277_290
Author(s):
Michael Grimsley, Anthony Meehan, Anna Tan.
Trust definition(s):
Trust [makes] possible the achievement of community objectives that would not be attainable in its absence.
Horizontal Trust: arises from relations between [community members].

Vertical Trust: arises from relations [of community members] with local councils and providers of public services.
Categories:
sociology.

This paper looks at trust as a form of community social capital. It describes a framework for building and managing trust in a community, and describes its application to online services in Camden. The framework features a community trust cycle, a trust compact and an experience management matrix, which collectively support managers in addressing the relational dynamics of community trust relations.

2.46 Reasoning About Trust: A Formal Logical Framework

Identifier:
lncs2995_291_303
Author(s):
Robert Demolombe.
Trust definition(s):
A mental attitude of an agent with respect to some property held by another agent.
Categories:
logic.

Introduces three problems of dealing with trust:

  1. defining the facts that support trust,
  2. finding appropriate rules to derive the consequences of a set of assumptions about trust, and
  3. using information about trust to make decisions.

The paper goes on to focus on the second problem.

The paper proposes a modal propositional logic language based on the epistemic properties sincerity, credibility, vigilance, validity and completeness, which are themselves defined in terms of epistemic (knowledge) modal operators belief and informing. Various forms of trust are defined in terms of implications using these properties. A number of axioms, and some logical consequences of those axioms are given.

The epistemic pattern is extended to deal with deontic (obligation) and dynamic (ability) properties: obedience, laziness, active (effectiveness?) and honesty.

Using the logical framework thus constructed, some intuitive properties of trust can be formally derived ("rediscovered") from the given definitions and axioms.

2.47 Trust Mediation in Knowledge Management and Sharing

Identifier:
lncs2995_304_318
Author(s):
Christiano Castelfranchi.
Trust definition(s):
Three components: (1) a mental attitude towards another agent, (2) a decision to rely on the other, and (3) a behaviour, or act of trusting.
Categories:
sociology.

This paper examines the role of trust in knowledge-sharing processes, starting from previous work in organizational knowledge studies. It uses a cognitive model of the goals and beliefs of an agent involved in a decision to pass or accept knowledge, and a network model of trust within groups of agents. This leads to a theoretical model of cognitive attitudes, including trust, that may lead to effective knowledge sharing.

[[[This is my best attempt; I'm not sure that I properly understood what this paper is saying.]]]

2.48 Enhanced Accountability for Electronic Processes

Identifier:
lncs2995_319_332
Author(s):
Adrian Baldwin.
Trust definition(s):
(None given).
Categories:
computation.

This paper discusses the role of accountability in building trust in electronic transactions, and empasizes the need for transparency (i.e. visibility of all appropriate information) to establish appropriate levels of trust and accountability. It proposes the use of an trusted evidence store that allows interested parties to interactively monitor all significant events relating to a transaction.

An outline is given of how such a store might be implemented, using a combination of cryptographic techniques and secure hardware to ensure integrity, completeness and confidentiality of the audit data.



 TOC 

References

[1] Paddy, P. and S. Terzis, "Trust Management: First International Conference, iTrust 2003", Springer Lecture Notes in Computer Science Vol. 2692, May 2003.
[2] Jensen, C., Poslad, S. and T. Dimitrakos, "Trust Management: Second International Conference, iTrust 2004", Springer Lecture Notes in Computer Science Vol. 2995, March/April 2004.


 TOC 

Author's Address

  Graham Klyne
  Nine by Nine
EMail:  GK-iTrust@ninebynine.org
URI:  http://www.ninebynine.net/


 TOC 

Appendix A. Revision history

00a 04-Oct-2004
Document initially created.

    $Log: iTrust-survey.html,v $
    Revision 1.1  2004/10/19 14:42:05  graham
    iTrust survey docs to Web site CVS

    Revision 1.1  2004/10/04 15:51:19  graham
    Add survey document generator compoennts and presentation