The solar trust model, identity, and anonymity

Determining the extent to which information can be trusted is an extremely challenging problem. The same information may be trusted to different extents depending on the context it is observed in, who is observing it, the observer's needs and experiences, and what the observer learns about the information from other sources. Aspects of this problem are addressed through authentication systems, trust models, and recommendation systems. Typically, systems only provide one or two of authentication, trust, and recommendation services at the same time. We combine all three into a single model, the Solar Trust Model (STM). The STM is a graph-oriented model, using relative distance from subjects to represent relative trust. These structures are nested, as subjects have trust relations with other subjects. This allows users to evaluate how much they can trust other entities with minimal knowledge of those entities. The model supports dense trust levels, relative trust, dynamic trust, multiple paths of trust, non-transitive trust, and locally defined trust. It is scalable both computationally, and across social and organizational boundaries. It uses context sensitive trust, analyzed based on each user's own requirements, knowledge, and experience, and recommendations from others. Other trust models contributed significantly to study of trust modeling. We describe each model, its contributions, and its limitations. We show how the STM addresses these limitations. We represent the STM, its services and protocols, mathematically. We then describe attacks against the model's protocols. By preventing attack preconditions, we were able to make those attacks infeasible, while improving the protocols' efficiency. To determine the trustworthiness of an entity, it is critical to be able to identify it. We introduce a formal, property-based model of identity, in which the identity that an observer perceives an object to have depends on the values of the properties the observer can read for that object. We then demonstrate the difference between the identity that a subject claims to an observer to have, and the identity that the observer perceives that the subject actually has. Next, we show that both claimed and perceived identities are subjective and dynamic. This is important, since trust models typically assume that identity is static. We also establish properties of identities, and prove several theorems about how identities can or can not be distinguished. Using this, we argue that existing approaches to anonymity can be extended to present different views of an entity's identity. Our technique, relative anonymity, allows for anonymity to be determined relative to a specific observer, rather than in global, absolute terms, and provides flexibility in many situations where anonymity requirements conflict with other requirements. The ability to manipulate identities, or to violate anonymity by causing an observer to learn a previously anonymous identity, is the basis for identity-based attacks. We use our new theory of property-based identity and anonymity to identify seven new classes of attacks against identity and anonymity, and show how the framework constructed for relative anonymity leads to restrictions on the ability to exposing, manipulate, hide, duplicate, or impersonate the properties of an anonymous entity, in order to inhibit or eliminate those attacks. Because these attacks can undermine trust in identities, they apply both to the STM and to other trust and authentication models that rely on a notion of identity to determine trust or to grant privileges.