Managing trust in our digital world

Juggling collaboration, contracts and reputation is key

In this month's piece, John Arnold, chief security architect at Capgemini UK, discusses the Jericho Forum's concepts of online trust and collaboration-oriented architecture. The Forum is an organization dedicated to encouraging innovations in e-commerce security.

Would you trust someone you've never met?

Lack of trust is the most serious problem with the Internet today. Lack of trust encourages phishing and spam, and limits the Internet to low-value transactions. Trust cannot be developed using technical security concepts alone; it must come from examining how humans create trust. The Jericho Forum's collaboration-oriented architecture addresses what we see as serious shortcomings in traditional approaches to online trust. Let's take a closer look:

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In this month's piece, John Arnold, chief security architect at Capgemini UK, discusses the Jericho Forum's concepts of online trust and collaboration-oriented architecture. The Forum is an organization dedicated to encouraging innovations in e-commerce security.

Would you trust someone you've never met?

Lack of trust is the most serious problem with the Internet today. Lack of trust encourages phishing and spam, and limits the Internet to low-value transactions. Trust cannot be developed using technical security concepts alone; it must come from examining how humans create trust. The Jericho Forum's collaboration-oriented architecture addresses what we see as serious shortcomings in traditional approaches to online trust. Let's take a closer look:

We'll start by establishing a common understanding of key terminology, derived from the non-electronic world:
* Trust is a precondition for choosing to rely upon a collaboration with another party.
* Collaboration is an interaction between parties for some mutual purpose. A collaboration is governed by a contract between the parties involved.
* A contract is a mutually understood set of obligations between parties backed up by an accountability mechanism to handle non-performance. A contract is a legal entity but it does not have to involve lawyers – there are unwritten and implied contracts, for example.
* Reputation is an opinion that one party has of another that a collaboration between them is likely to succeed. If I have a high reputation with you, it is because, based on my previous history, you believe some combination of the following:

* That I am well disposed towards you.
* That I have an incentive to collaborate with you properly and not to misbehave.
* That I have the resources and skills to perform my part of the collaboration.

Reputation, contract and collaboration are related: If I have a high reputation then I will find it easier to contract with people. If I collaborate as expected by the contract, then my reputation will rise; and so on.

We all know that reputation is hard-earned, but easily lost. Just one failure to honor a deal can set you back almost to square one. Even a suspicion (not proven) of dishonorable dealing can ruin a reputation – as credit rating errors have amply demonstrated many times. The saying "Would you buy a used car from this man?" has entered our language as a good measure for deciding trust. Indeed, reputation is something that business traders truly value higher than all else.

OK – now that we agree on the basic concepts underlying what trust is about, let's ask the question: How do they relate to modern security architectures in the eBusiness world? The answer is not very well!

A directory (of the Microsoft Active Directory or LDAP type) contains information about people and organizations, so we can think of it as a reputation repository. But most directories include only identity information: name, e-mail and, if we are lucky, home address.

This gives us some basic accountability (if I know where you live, I can sue you), but it doesn't tell me anything about how our previous collaborations have gone. This type of information can be stored in human resources databases and audit logs and in proprietary reputation systems like eBay has. Unfortunately it's not in a standardized form and it's not available to the right systems.