The following is a guest blog post contributed by Dan Blum.
“A global reputation system will restore trust,” said RSA CEO Rohit Ghai during a keynote presentation I reviewed at RSA 2019. In the same way that whitelisting is more effective than blacklisting in the never-ending antivirus battles, reputation will give defenders the edge in futuristic conflicts between AI-augmented attackers and defenders.
But there’s a lot more to whitelisting personal reputation than registering known file signatures. Since Ghai painted the reputation picture in exceedingly broad terms, it’s down to us to color between the lines. Fortunately, I had some experience from working with Drummond Reed, now Evernym’s Chief Trust Officer, for over a year on this topic.
Let me take you back 6 years to 2013. LinkedIn did not yet have the “endorsement” feature, but startup Connect.me (not to be confused with Evernym’s digital wallet app of the same name) was going strong with 25,000 users. It was growing in such a viral manner that it had to be temporarily shut down and re-platformed. Users loved Connect.me because, unlike special-purpose reputation systems used for sellers at sites like eBay, it enabled subscribers to have reputations in different contexts – i.e., computer programming, photography, dress-making, you name it.
Some people loved Connect.me so much that, according to then-CEO Drummond Reed, “We had a big problem with reputation spam.” Many users were trying to game the system.
When Connect.me 2.0 came out with a more scalable release, it also featured socially-verified reputation. This was achieved through a governance model not unlike what you see on some customer-managed support bulletin boards. In order to advance one’s reputation and have the ability to vouch for others, one had to be verified by one of Connect.me’s superusers who had been through the same process.
Unfortunately for Connect.me, the six-month delay between releases proved fatal. Although the improved reputation network grew to 100,000 users within two weeks, a much larger competitor – LinkedIn – rolled out its Endorsement feature. That took the wind out of Connect.me’s sails, and Reed moved on to other things.
History repeated itself. Some people loved LinkedIn endorsements too much. Soon, everybody was an expert at everything on LinkedIn. The endorsement feature had to be rebuilt over the years just to retain credibility. It looks a lot different now than it did at first.
Decentralization – From reputation provider to reputation registry
All this begs the question: can a single company (or entity) really serve as a global reputation provider?
At RSA, Rohit Ghai may have been onto something when he elaborated that “Global reputation systems will work like a distributed ledger of deposits (good deeds add reputation) and withdrawals (bad deeds reduce it).”
The beauty of a distributed ledger, like a blockchain, is that no one entity needs to be the reputation provider. Instead, the distributed ledger acts as a reputation registry. One reputation registry can potentially support multiple reputation contexts and with that exhibit more openness than a centralized provider while still achieving a network effort.
Reputation is just another verifiable claim
- Reputation Registries allows many reputation use cases, or contexts. Each use case can have a different community of relying parties with different rules. For example, reputation might not be publicly available outside the community. Reputation might be asserted and taken at face value, or a reputational assertion could be set to require social verification.
- Users and organizations participating in a reputation system play the role of Reputation Issuers, as well as Reputation Consumers.
- A Reputational Claim is a verifiable claim about a user or organization’s reputation. For example, “Dan Blum is a Security Architect with 50,000 Thumbs Up.“
Sound simple enough? Read on.
Network effects without centralization?
Without a network effect any identity or reputation service, would-be standard, or product is just another wannabe. Countless schemes to improve Internet identity have succumbed to the chicken and egg syndrome, ultimately unable to get critical mass. The most successful identity-related phenomena have been centralized systems such as Google or Facebook, powered off the back of a search engine and social network respectively.
However, it seems certain that no one centralized solution can obtain ubiquitous adoption as a reputation provider (or even just an identity provider) in our multicultural, polycentric world riven with power struggles and privacy concerns.
Exploring a self-sovereign identity (SSI) solution for a global reputation
If we’re ever going to see a global reputation system it will have to get a network effect and take on the multicultural, polycentric character of the globe itself.
Drummond Reed from Evernym believes that the Sovrin Network – a blockchain-based identity network – could form the foundation on which multiple global reputation systems could thrive. Personal and business users of Sovrin could each participate in multiple systems and potentially share or reuse reputation more broadly. I’ll do another interview with Drummond later to fully explain how, but for now, just understand that the Sovrin Network could provide a single logical (and global) registry for persons and businesses that could have and use reputation. Because Sovrin is already getting traction for specific use cases such as a Verifiable Organizations Registry in Canada and the U.S. Credit Union Service Organization’s CULedger for members, it could generate the required network effect.
Also supporting the network effect thesis, Sovrin provides a public blockchain based on open source technology, and its identity functionality is based on the W3C Decentralized Identifier (DID) and Verifiable Claims standards, as well as a decentralized use of standard public/private keys. Reputation would be just another kind of verifiable claim supported in the Sovrin Credentials Layer and carried over Sovrin’s peer-to-peer Agent-to-Agent protocol layer.
Multiple reputation systems could “live” in the Sovrin Network because it is not only a public blockchain, it is a public permissioned blockchain. It has a governance layer and operates based on the Sovrin Governance Framework, which is a trust framework that Sovrin Stewards, as well as Transaction Authors and Transaction Endorsers, must abide by. It is designed for global reach and would allow (for example) reputation systems from different industries in different parts of the world to establish domain-specific trust framework extensions; they could plug in rules for their local reputation network participation, claims verification, access control, and more.
In the RSA 2019 keynote, Gahi and Howe envisioned unleashing a new age of prosperity, making poverty a thing of the past, and improving governance through transparency and risk management enabled by reputational trust. In my first post reviewing this, I was skeptical that the unified “TrustLink” could ever come to be. Having talked to Drummond Reed and caught up on the Sovrin Network, I’m glad to hear that global reputation is still on the radar screen.
About the author
Dan Blum is an internationally-recognized expert in security, privacy, cloud computing, identity management. He develops Security Architects Partners’ business partnerships, creates content and leads consulting engagements. Blum provides security workshops, assessments, architectures and custom consulting services for large enterprise customers covering multiple areas of expertise.
Furthermore, he assists enterprises with many areas of security architecture, policy and strategy development. Dan Blum was honored in 2011 as Golden Quill Analyst at Gartner, and as a Privacy by Design Ambassador 2013. He authored 2 books, written for numerous publications and participated in standards groups such as CSA, ISACA, OASIS and others.