See also
* "Trustlet Wiki":http://www.trustlet.org/wiki
 
Potential Ingredients for a trust metric
 
h2. Reputation
 
* Web of trust
* Reputation systems
** Akismet, Viking, etc.
 
* prove_as_human Completing a 
* validate_email
 
  logged_in
  akismet, etc.
  session duration
 
h2. Accountability
 
Does the person tied to this identity stand to lose or gain anything based on this action?
 
 
h2. Past history
 
* past history
** we can revisit past trust decisions based on revised trust estimates
* recency of errors (reduce trust on an application exception)
 
h2. Commitment
 
* are_you_sure -- ask for con
* willingness to pay a "hate task" (compute big hash) a la Zed Shaw
* send_me_one_cent a micropayment
** shows commitment
** secondary validation from payment system
** offsets rist
 
h2. Identity Binding
 
* Stale sessions
  bq. "If your application allows users to be logged in for long periods of time
  ensure that controls are in place to revalidate a user’s authorization to a
  resource. For example, if Bob has the role of “Top Secret” at 1:00, and at
  2:00 while he is logged in his role is reduced to Secret he should not be able
  to access “Top Secret” data any more." -- http://www.owasp.org/index.php/Guide_to_Authorization
 
* how I authenticated: for instance, 'logged in by cookie' << 'logged in by password'