bcarpenter edited this page Aug 17, 2010 · 2 revisions

Potential Ingredients for a trust metric


  • Web of trust
  • Reputation systems
    • Akismet, Viking, etc.
  • prove_as_human Completing a
  • validate_email
logged_in akismet, etc. session duration


Does the person tied to this identity stand to lose or gain anything based on this action?

Past history

  • past history
    • we can revisit past trust decisions based on revised trust estimates
  • recency of errors (reduce trust on an application exception)


  • are_you_sure — ask for con
  • willingness to pay a “hate task” (compute big hash) a la Zed Shaw
  • send_me_one_cent a micropayment
    • shows commitment
    • secondary validation from payment system
    • offsets risk

Identity Binding

  • Stale sessions
    bq. “If your application allows users to be logged in for long periods of time
    ensure that controls are in place to revalidate a user’s authorization to a
    resource. For example, if Bob has the role of “Top Secret” at 1:00, and at
    2:00 while he is logged in his role is reduced to Secret he should not be able
    to access “Top Secret” data any more.” —
  • how I authenticated: for instance, ‘logged in by cookie’ << ‘logged in by password’