[foaf-dev] FOAF-based whitelisting project

Dave Brondsema dave at brondsema.net
Wed Mar 14 02:53:59 UTC 2007

Graham Klyne wrote:
> Hi,
> =

> This is a response to several points raised in this thread:
> =

> 1. I think that simply publishing a whitelist with hashed email addresses=
> insufficiently secure:  because there are relatively few domains and email
> addresses tend to have regular patterns, this may be subjected to a dicti=
> attack by spammers to obtain suitable addresses to forge in their emails.=
> additional cleverness is required to prevent such attacks.

Yes, plus spammers already have millions of non-hashed email addresses
to spoof.  It would be dangerous to query a trust network using an
identity that you haven't authenticated.  Fortunately, SPF and DKIM are
two authentication methods for email that many mail servers have begun
to implement.  I think most or all configurations would require SPF or
DKIM authentication before computing a trust value.

> =

> 2. Regarding trust models based in psych research - I believe a seminal w=
ork in
> this area was by Stuart Marsh.  His model is regarded by many as being ve=
> important but too complex for general computational use.  It is widely ci=
ted by
> those who have developed more computationally amenable models.

Do you mean Stephen Marsh at
http://homepage.mac.com/smarsh2003/Main/index.html ?  I haven't read any
of his work yet, I'll have to increase his priority in my reading queue.

I also have been listing some researchers, and lots of workshops at

> =

> 3. Non-linear trust metric: Audan Josang has a model of "subjective trust=
" which
> has been very influential.  It combines elements of trust and certainty, =
and has
> a relatively simple associated calculus.  I'm not sure the extent toi whi=
ch the
> calculus has been verified against empirical or psych studies.
> =

> 4. There was (still is?) a network of researchers interested in trust in =
> computing environments called iTrust -- http://www.itrust.uoc.gr/ -- the =
> working group funding ran for 3 years and supported 3 conferences;  there=
> since been at least one more conference.  Papers from these conferences c=
> many aspects of trust, and in particular reputation systems that embody s=
> notion of trust in analyzing recommendations.
> =

> 5. IIRC, iTrust researchers in reputation systems generally found it was =
> to give each - party separate trust ratings as a recommender and as a pri=
> provider.
> =

> ...
> =

> There are some related descriptions and references here:
> http://www.w3.org/2001/sw/Europe/reports/trust/11.2/d11.2_trust_vocabular=
> =

> This is just one of many possibly relevant papers thrown up by Google for
> "Josang trust metric"
> =

> Finally, some (rather dated) notes on my own web site:
>   http://www.ninebynine.org/iTrust/Intro.html
> including a survey of papers from the first 2 conferences:
>   http://www.ninebynine.org/iTrust/iTrust-survey.html
> (the raw data for this was collected as RDF).
> =

> #g
> --
> =

> Kjetil Kjernsmo wrote:
>> Hi all!
>> Some of you might have noticed that I started "Community Projects" with =

>> the W3C semweb Education and Outreach IG, and submitted a proposal =

>> myself, about using FOAF-based trust networks for whitelisting email. =

>> And blacklisting too. =

>> The project overview is at =

>> http://esw.w3.org/topic/SweoIG/TaskForces/CommunityProjects/FOAFWhitelis=
>> Importantly, I want to build it using the most basic data, really =

>> identifying people, context-dependant trust, etc, will need to be added =

>> as we go. I just want to make this useful as quickly as possible.
>> If no-one objects, I intend to use foaf-dev as the project mailing list. =

>> After all, it should be the core topic of this list. Of course, I have =

>> other options as well, I even have a mailman install of my own, but I =

>> hope to engage people here, and besides, it isn't that much activity =

>> anyway. =

>> I've started to write some code, as plugins for Qpsmtpd and =

>> SpamAssassins are the main deliverables on the road-map. =

>> I've created some untested code, now at =

>> http://svn.kjernsmo.net/qpsmtpd-foafwhitelist/trunk/check-foaftrust
>> and
>> http://svn.kjernsmo.net/Mail-SpamAssassin-Plugin-FOAFTrust/trunk/lib/Mai=
>> They should be functional, though, except for one little fact, that the =

>> trust metric is now just a random number... :-)
>> Chris Prather has started coding the trust module, though, and we'll see =

>> what we can get out of this. Chris now has write access to my SVN repo, =

>> we'll be accepting patches. =

>> I hope people will be interested in getting involved. I hope this can be =

>> big, I mean, we allready have like 17 million FOAF profiles out there, =

>> and if this becomes useful, we could persuade others to support it. =

>> Cheers,
>> Kjetil
> =

-- =

Dave Brondsema : dave at brondsema.net
http://www.brondsema.net : personal
http://www.splike.com : programming

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
Url : http://lists.usefulinc.com/pipermail/foaf-dev/attachments/20070313/c2=

More information about the foaf-dev mailing list