Proposal for Open Reputation Management Systems TC (ORMS)

IIW, December 3-5, 2007, Mountain View

For information on OASIS IDtrust Member Section see: http://www.oasis-idtrust.org/

For more information related to ‘Joining OASIS’ see: http://www.oasis-open.org/join

www.oasis-open.org

Abbie Barbir (abbieb@nortel.com)

Nortel

OASIS IDtrust Steering Committee

OASIS provides a neutral setting where government agencies, companies, research institutes, and individuals work together to advance the use of trusted infrastructures

History PKI Forum migrated to OASIS PKI MS in November 2002 PKI MS transformed into IDtrust MS in 2007 IDtrust expanded its scope to encompass additional

standards based identity and trusted infrastructure technologies, policies, and practices

Steering Committee Abbie Barbir, Nortel June Leung, FundSERV Arshad Noor, StrongAuth John Sabo, CA, Inc. Ann Terwilliger, Visa International

www.oasis-open.org

IDtrust MS Background

Identity and Trusted Infrastructure components Studies and Projects addressing Identity and Trust

models and standards; relevant protocols and standards; trust infrastructures in use; costs, benefits and risk management issues

Identity and Trust Policies and Enforcement Policies; policy mapping and standardization; assurance;

technical validation mechanisms; trust path building and validation

Education and Outreach Documenting trust use cases and business case scenarios,

best practices and adoption reports and papers; organizing conferences and workshops; and establishing Web-based resources

Barriers and Emerging Issues Data privacy issues; interoperability; cross border/

organizational trust; outsourcing; cryptographic issues; application integration; and international issues

IDtrust Strategic Focus Areas

IDTrust Summary Current TCs

Enterprise Key Management Infrastructure TC PKI Adoption TC OASIS Digital Signature Services (DSS) TC XRI TC

Steering Committee developing new work plan for 2007/2008 Many opportunities to get involved We invite you to join OASIS and participate in the IDtrust

MS and/or TCs For more information contact Dee Schur: Dee.schur@oasis-open.org

Open Reputation Management Systems TC (ORMS)

Setting the Stage

Need established during OASIS IDtrust Burton workshop

(http://events.oasis-open.org/home/idtrust/2007 ) at Catalyst

Europe 2007

Validated by talks in Catalyst Europe 2007, Barcelona,

Objectives of this talk

Validation/improvement/feedback on the proposed TC charter

Getting interested parties involved in TC work

Identify co-chairs for the proposed TC

Get Founding Members involved

Need for Reputation Data Framework

Reputation Summary of past behavior of a subject within a specific

context (function of time) Assumes that past behavior is indicative of future behavior good reputation increases the trustworthiness of an entity Reputation Score can be used as a foundation of Trust (within

a context/interaction and testimonials )

Growing in popularity (online/social communities)

Many Flavors for providing feedback/reputation data Centralized systems (eBay) Decentralized systems ( such as P2P file sharing systems)

Some Examples

Can I trust this collaborative space? Is all content correct? Is all content authorized? Is all content appropriate for me? What is the creator’s reputation?

Can I trust this content? Is this content correct? Is this content authorized? Is this content appropriate for me? What is the creator’s reputation?

• Filtering out content that does not meet reputation criteria

through pre-filtering (by moderators) or post-filtering (by

community)• Reputation for content, creators and spaces• Objects come with reputation metadata• Implies an authoring and management system for those metadata• Reputation metadata must be trustworthy, i.e., authenticated

while respecting privacy• Reputation system must be user-centric (i.e., trust decisions are

controlled by user) and must offer choices for transparency (must

not get into the way of using content, leaves it to the user how to

handle trust decisions)

Principles of Reputation

Reputation is one of the factors that trust is based on Reputation is someone else’s story about me Reputation is based on identity Reputation exists in the context of community Reputation is a currency Reputation is narrative (evolves through time) Reputation is based on claims (verified or not),

transactions, ratings, and endorsements Reputation is multi-level Multiple people holding the same opinion increases

the weight of that opinion

Source: Windley et alSource: Windley et al

Reputation Management Framework

1. Build a generic open reputation system that is robust, scalable, IdM and application independent that supports a flexible trust model

2. Data needed for the generation of reputation Cold start problem Supports Multiple computational models Assertions/claims (within a context) Identity linking Portable Data model for users, credentials and

claims

3. Reputation based trust model Trust metrics; Verified claims and facts Direct and indirect transactions; Third party

Reputation Management Framework

4. Aggregation, Discovery and Storage How reputation scores are generated??? Central/distributed Authentication/trust of data and providers

5. Data reputation exchange protocol

6. Overall system security

7. Transparency Users feedback privacy & selective disclosure What transactions a user can see Ability to do Self-Assessment

Example of ORMS Interactions

B about CB about C

andand

C about BC about BUser BUser B

User CUser CInteractionInteraction

FeedbackFeedback

FeedbackFeedback Reputation Reputation Store IStore I Reputation Reputation

ServerServer

ReputationReputation

FeedbackFeedback

FeedbackFeedback

InteractionInteraction

User DUser D

Reputation Reputation Store IIStore II Reputation Reputation

ServerServer

Common Data/Context

Common Schema for Rep Score

Common Protocol

Convertible credentials

B about DB about D

andand

D about BD about B

ReputationReputation

AggregatorAggregator

User EUser E

Inquire about Inquire about

Score of D within aScore of D within a

context ; Access to context ; Access to

Reputation of IIReputation of II

ReputationReputation

Reputation Reputation Store IStore I Reputation Reputation

ServerServer

ReputationReputation

ORMS TC CharterStatement of Purpose/List of Deliverables To develop an Open Reputation Management System (ORMS) that

provides the ability to use common data formats for representing reputation data, and standard definitions of reputation scores.

The system will not define algorithms for computing the scores. It will provide the means for understanding the relevancy of a score within a given transaction. The TC's output will enable the deployment of a distributed reputation systems that can be either centralized or decentralized with the ability for aggregators and intermediaries to be part of the business model. The standard does not tie itself to a specific IDM, but let implementers plug-in their identity-schemes to ORMS.

List of deliverables: Use Cases Requirements document XML Schema for representing ORMS data XML Schema for Reputation Score Assertions/claims (tokens) profiles Protocol(s) for exchanging of reputation data and assertion tokens Security, threats and Risk analysis

ORMS TC Charter

Use Cases and Requirement Gathering

Use cases to gather requirements that ORMS will need to

meet and understand the business and social impact of

such a system including security, privacy, threats and risks

requirements will also be developed. Explore the use of

reputation mechanisms in novel settings.

Document that analyzes performance of existing reputation

mechanisms with respect to the requirements developed in

the previous steps and identify current gaps.

ORMS TC Charter

Develop Framework for Open Reputation Data

Enabling data mining through standard reputation data tagging for content

Development of common data models for expressing reputation data

Development of standard way of exchanging reputation claims among systems

Development of means of aggregating reputation data including delegation of claims generations and assertions

Development of query/response communication protocols for exchanging reputation data in a trusted and secure fashion

This step may develop a new protocol, or extend current ones such as SAML, OpenID etc

ORMS TC Charter

Out of Scope Algorithms that can be used for generating a

reputation score are out of scope of this work. The work will define a standard way to infer what a given score will mean but will not specify how to compute that value.

The work does not exclude methods for asserting equivalence or relationships between scoring systems. A possible output of the TC work might include methods to facilitate the calculation of comparisons between score ratings, or operations that take multiple scores as inputs.

ORMS TC Charter

Proposed Leadership

Co-chairs: Anthony Nadalin, IBM

Co-chairs: XXX, TBD

IPR Mode

TBD, RF or RF/RAND??

Language

English

Start Time

First Meeting: February or March 2008

Next Steps

Feedback on scope and charter is encouraged

We need community Participation and support

Early adopters can be founding members with voting

rights at the first TC meeting

We need co-chairs and industry support

Please send feedback to abbieb@nortel.com or Dee

Schur dee.schur@oasis-open.org

Many Thanks for your time

Bckup

Backup

Reputation Technology

Digital Identity

Summary of actual past behavior, by service provider

Real identityBackground check

against external data

Peer reviews

portableportable

specificspecific

Identity Verification, Identity Proofing

= Strong Identity

Trust in specific attribute or future behavior?