[OpenID] Community Reputation Services

Nate Klingenstein ndk at internet2.edu
Wed May 21 22:44:50 UTC 2008 

Paul,

You highlight one of two important differences between what we need  
and a general reputation service as usually discussed.  It's the  
reputation of the OP which is specifically of interest to us, not  
that of the user.  This is so because we must be able to preserve  
users' privacy when needed, both for traditional academic freedoms  
and compliance with various countries' privacy laws and our FERPA.   
We're also dealing with attributes that are not self-asserted and,  
for now, a population that turns over every 4 years(if they're  
lucky ;D ).  Together, these imply established OP's which are  
themselves accountable and known rather than the end user.

The second difference is we have no absolute reputation, and thus no  
different opinions to reconcile.  There are just difference flavors  
of reputation, where an OP is considered able to express certain  
information.  For example, a UC Berkeley IdP could state a UC Campus  
Employee ID, but Stanford couldn't, and UC Trust handles the  
community services for that.  Using existing namespaces with  
community services seems a fine way to do this for OpenID, where the  
trust model relies on DNS/TLS reliability anyway.

We also don't currently have shades of grey -- you're in or you're  
out, in most cases -- but a data model that allows for them alongside  
monochrome 1's and 0's doesn't make things much more complicated if  
you don't want them to be, so I don't consider that a problem.

I think the flows I laid out are sufficiently universal for all these  
use cases since the provider can reconcile and interpret the results  
of such a query any way it pleases.  As it's protecting the sensitive  
content/user data, I think that's proper.  That opinion itself needs  
a big pile of your second thoughts, though.

Thanks for all the interest and input so far,
Nate.

On 21 May 2008, at 16:59, Paul Madsen wrote:

> Hi John, if I read you correctly, the 87% refers to the probability  
> that
> the user is not a bot - this assessment performed by the OP based  
> on its
> understanding of its own processes? And the RP would weight this 87%
> score by the OP's own reputation for correctly assessing such odds?
>
> In Nate's use case it's the OP's reputation he is specifically
> interested in, which you seem to defer on how the RP might obtain?
>
> paul
>
> John Panzer wrote:
>> I'm not a spec editor, but this is interesting to me once we get
>> through other more basic issues.
>>
>> I had been toying around with an OP-based reputation model where the
>> OP can optionally provide some type of reputation claims along with
>> the identifier.  In the cases I'm thinking of, everything is very
>> probabilistic, so you would end up with claims like "not a bot: 87%".
>> Or more holistic claims.  Which would be judged according to the OP's
>> reputation for accuracy of course.  This is similar to the verified
>> email idea (is there a standard AX schema for that?) but fuzzier.
>> (Even email verification is fuzzy of course, as the verification  
>> event
>> fades into the past the probability should actually 'decay'.)
>>
>> Eddy Nigg (StartCom Ltd.) wrote:
>>> Nate, I think this to be very interesting, but no replies have come
>>> forward so far. Does any of the spec editors consider something like
>>> this?

More information about the general mailing list