Design criterion for a reputation service: * Reliable * trustworthy * resistant to dropping unflattering credentials * decentralized * easy to use * easier to automate * needs to support distributions of pseudonyms reputations without providing information about the nym. Designing a solid credential server is not an easy task. There are many requirements that one should meet. The basic server I am considering is designed for Internet as it is today. Mostly academics, researchers and students, operating on a highly insecure internet for mostly personal reasons. There are few large transactions occurring on the net; there is not a lot at stake in the grand scheme of things. OTOH, there is an awful lot at stake; specifications, especially bad ones, tend to live forever. Remember the RISKS piece on trains and horses? Thus the server I present could work well today in conjunction with MPAs, (Mail Processing Agents, such as procmail and filter) with newsreaders, and other similar software in order to handle bright filtering (the next generation of kill & hot files should be based on a distributed idea of whose work is worth reading, and whose is not. After that, the system should expand to cover reputations in various realms, reputations for various characteristics, and other things which I'll talk about in the next message. There are three basic models for sophisticated reputation distribution. The simplest method, of each person handling their own, has too many failure modes to be useful. The sophisticated models are essentially mail, Usenet and server based. I assume all transactions are signed, and encrypted at the users request to provide some amount of security against forgeries and traffic analysis. In a server based system, some set of databases exists to collect reputation certificates. A user (better yet, their agent) asks for a reputation certificate for some entity. The server sends it back. This could be built on the send everything you know model, or the request could be for certificates of people who the requester respects. Such filtering might be better done on local CPU. The system has the advantage of carrying all information in an easily queried format. It also has the advantage of concentrating certifications. Thus you could say things like 'The well regarded spaf' or 'The often ignored Marjorie Simpson,' because the server would collect such data. The next system would be based on Usenet. People would occasionally post their opinions to a newsgroup, and people who respected those people, directly or transitively, would pull in their postings. This system has the advantage of using existing technologies, and propagating widely, probably even past most firewalls. A third system would be based on mail. People would subscribe to lists, or send mail to folks they respect saying 'please put me on your reputations list.' The folks thus honored would then respond by sending out regular lists of who they respect or disrespect. This really requires everyone to run some sort of filtering agent. It has the advantage of allowing people to set up closed lists for propagation, and only distributing information on a demand basis. Note that this mail system is not the only one that could use mail for propagation, it simply uses mail as an automatic and regular carrier of information, while a server system would only do so on request. Both the mail and news systems may fail to provide timely information about new individuals who may have a reputation, but because you never asked for it in mail anywhere, or because articles have expired on your newserver, you can not find it. This is the reason the server system would be useful. Not so much in a filtering context, but instead in a system where reputations are relied on for various semi-real time services. The expandability of the system relies on part on its ability to find arbitrary reputation information quickly and automatically. That is something that a server system does well, but a mail or news system does not. To build a mail system, you would need some sort of decent filter (such as MH filter, procmail, or mailagent) which can run programs based on a set of conditions. You would need a rule which would watch for incoming reputation cred. certificates (which would be signed, maybe encrypted). This would pipe into your assesment program, which would keep track of how you relate to each of the various people who send you reputations cred. certificates. It would turn all the information into a database. On any high volume forum, you could filter incoming mail into a set of filters which react based on the numeric scores given to a person by your assesment program. Anyone whose carries enough reputation credits to pass your filter goes into one box, everyone else goes into another. (Clearly, you can be more selective, set up several boxes, or whatever else you want.) The tough part of making this system work is in the generation of reputations credits. Hal mentioned that the Extropians built a system based on buying and selling of reputations on a market. I don't see these reputation credits as being something tangible. You can't carry your reputation credit with you; they exist as a result of your participation in a web of respect. I don't care that Homer Simpson is a well respected authority in rec.drink.brewing; his worlds and mine rarely cross. He can't pick up his reputation credit and plop down in cypherpunks, expecting to be well respected; none of us know him. Or maybe someone does, in which case, they can (automatically) tell us what they think. Becuase reputation credit is not fungible, and because it propogates itself, buying and selling it may be confusing. If someone well respected gets an additional unit of reputation, then all the people who he/she respects will also gain slightly. I expect that a system based on giving away reputation credits would work well. If you respect too many people too mcuh, your value as a link in peoples chain will decrease, and people will start disrepecting you, becuase you disturb their filter. Eventually, if you keep it up, the value of your reputation credit will drop close to zero, as no one cares about what you have to say anymore. This may fail if someone with interesthing things to say decides to disrupt the system. I'm not sure why someone with interesting things to say would think it was worthwhile to disrupt the system, but I don't like designing things on expect and oughts. Perhaps a system could be implemented that would allow you to give reputation credit in 'transferable' and 'non-transferable' forms, so you could respect what someone had to say, but pay no attention to their opinions of people. I hope, but don't know if I can expect, that a system like this would get its initial momentum from people who want to be able to use it for their own smart filtering. If the system were well designed (easy to change how much reputation credit you give someone), then making a change in your filtering would be as simple as saying "slander tcmay@netcom.com +50" (slander is the working name I've been using to describe the program to enter reputations, good or bad. It came from thinking of this as a Usenet based system.) If the system could build up some initial momentum from people using it for personal filtering, then it would probably accelerate from there. As more people use the system, it becomes more useful to use it, accelerating its growth. Its growth hopefully, is not constrained by the underdesign of servers, since each person serves themselves. As the software becomes more useful, it is easy to build and design alterate systems of spreading reputations because the system is decentralized. If I decide I want to build a system where each person whose first name begins with a vowel gets an extra 5% added to their reputation, and then add 10% to my perception of the reputation credits of any one who three people I give more than 75% reputation credit to, then I can implement that in my local assesment program without disturbing everyone who relies on my server. (Admittedly, the people who currently pay attention to who I gvie rep cred to may no longer do so, after strange credits start coming out, but thats a seperate problem.)