-----BEGIN PGP SIGNED MESSAGE----- I was thinking about the idea of positive reputations and thought I'd mention a few thoughts while waiting to see Dean's notes. As I understand it, a positive reputation is basically some kind of recomendation or endorsement of a person by someone else. It might be fairly specific, like "so-and-so paid a debt of $50 to me within the agreed-upon two-week period." Or it could be more general, like "so-and-so is, in my opinion, an honest person." I was thinking of positive reputations that might be relevant to the problem mentioned of anonymous posting to mailing lists and newsgroups. As Dean mentions, we can envision a system which uses the opposite of kill files. Instead, messages would only be displayed from people who met certain criteria in terms of their reputation credentials. What would I want to see in the way of such credentials that would help me decide whether I wanted to read the message? (The issue of judging the validity of credentials is discussed below.) Maybe recommendations in favor of the poster's intelligence, knowledge, judgment, temperance (i.e. reluctance to flame), etc. would be useful. Imagine a system in which a person was rated from 1 to 10 in each of these categories. A person's positive reputation would consist of (digitally) signed statements from various "endorsers" (or "introducers"), each giving their numeric judgements about the person in question. With this system, I could set my ideal mail/news reader to only display postings from people whose scores met some standards. Maybe I would average them; maybe I would weight the different categories according to my own tastes. But this would let me filter out time-wasters like the random poster who was causing problems. Now, this still leaves open the problem of judging the validity of various credentials. This problem is very similar to the problem of accepting key signatures in PGP. If I receive a PGP key loaded with signatures, that doesn't mean much unless I know at least one of the people involved (either directly, or through the net). Only then can I judge how valid the signatures are. In the same way, if a new person posts on a newsgroup, and includes his credential loaded with 10/10/10/10's, that doesn't mean anything unless I know some of these people who are vouching for him. In the most extreme case, he could have created a bunch of false identities and had them provide all the endorsements. So an endorser unknown to me is not useful. It's interesting that the PGP key "web of trust" may have application to this more general problem. I wonder if the PEM folks will push for a centralized "email posting quality" hierarchy in which agencies rate each person's quality of postings and assign them an official score. :-) This would be the analog of their solution to the key-signature problem. That's about as far as I've gotten. A few more general comments: Such a system requires an infrastructure of public-key encryption and digital signatures. Only in that way will signed credentials be secure enough to be meaningful. Since so few people use these tools today, a positive-credential system would filter out almost everyone, throwing out the baby with the bath water. But, remailers are springing up everywhere. It is an idea whose time has come, it seems. So the problem exists today, but the solution can't be practically applied for at least another year or two, even assuming rapid acceptance of PGP, RIPEM, PEM, or some other cryptographic standard. That means that there may be some political pressure against remailers during this interval. Perhaps we can turn this to our advantage by describing the advantages of a credential system, and using that to further encourage widespread use of cryptographic programs. Hal Finney 74076.1041@compuserve.com -----BEGIN PGP SIGNATURE----- Version: 2.1 iQCVAgUBKzFI+KgTA69YIUw3AQEdCQP8DbPD9jrlR1MhlLOOQrSUc8Svcue2DZsj +DIXiC50bpv+C5pZYtoCa5SuOXX8W6XmZRSkZW3gilvEKDQ2Zt7hH0ol+tFnn8cs q05T1bYJIZqdMdqia6PZkVyvs+DQLuQSog5rZxAja1XfC/Rq59RnbPp2IViLqDiD OfiasXA4Egs= =GVH7 -----END PGP SIGNATURE----- Distribution: CYPHERPUNKS >INTERNET:CYPHERPUNKS@TOAD.COM