17 Aug 2003 trs80   » (Apprentice)

Small scale trust mechanisms

Before gbowland (or grahame as he prefers to go online these days) took LiveJournal by storm with his lj-haiku script (more stats), he wrote the UniSFA smut tree project. Anyway, this had some authentication issues - namely you couldn't really tell who someone really was, since registration only required a valid email address.

Because there aren't that many users, implementing a trust metric for this site alone isn't going to be that useful for preventing impersonation/trolling (see this slashdot article on distributed trust metrics for another example). So what's the solution? Leverage someone else's trust metric. Stevey did this with the LJ Valentine System - to get an account you needed a LJ account, which while LJ doesn't strictly have a trust metric, you can tell who someone is by their past posts, friends and description.

Some other examples of places trust can be obtained: email domains with well-known users (eg people know the username <-> person mapping of UCC, and to a lesser extent the UWA student system tartarus). In these cases, you simply allow people to show who they are by sending the "confirm your account" email to their username@trusted.domain. Other possible sources of trust include IRC nickservs, Advogato, Slashdot etc. However, these latter ones do not allow for external authentication via their database, so your website has to ask for the username and password and autheticate directly, which opens up questions of how much do you trust the website to not keep a record of your password.

You could also just use the PGP web of trust, but generally your target audience will not be that PGP-savvy. Another advantange of using already existing user databases is that you can target the authentication to the audience you are targetting; eg if your website is for an IRC channel, IRC nickserv auth is appropriate, while for LJ users their LJ email is what you want. The other thing you want is a choice of authentication methods - eg not everyone may have a UCC account, but they do have an LJ or tartarus account instead. Usernames should then be displayed as user@trust_domain.

Anyway, enough rambling. The point of this post is that it'd be useful if a collection of these authentication methods was made into a library for future use. Ideally it'd be language neutral, but support for at least two of perl, python and/or php (the most common website scripting languages) would be desirable. Uh, so, Stevey, would you be interested in working on something like this? Oh, and apologies if this doesn't make that much sense - it's 1:45am and I'm still twitching from the whole block of rum and raisin chocolate I had at about 8pm.

More lj-haiku stats: 615,000 total haiku generated, 139,000 unique usernames. Given that around 350,000 LJ users update weekly, that's a penetration of 40% in a week.

Life: Nothing of note. Anyway, there's too many Life posts on Advogato atm, and not enough open sourcery IMHO, so this is my attempt at reversing the trend :P. Oh, and the diary ratings seem stuck again.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!