Re: [orms] Use Case - OpenID RP Reputation in Trusted Exchange

[Tatsuki Sakushima <tatsuki@nri.com>]

Hi Nate,

> 
> I understand, and that makes sense.  I agree that the RP's reputation is 
> very important for safeguarding user information that is sent.
> 
> However, I think your view here is different from the common OpenID 
> view.  That's mostly because they're worried about spam and less 
> important user data and applications.  See, for example, this page. 
>  You'll see that most people are concerned about the OP, and some are 
> concerned about both.
>

Yes. I noticed that fact by hearing many conversations in the past IIWs. 
I think that it is because credibility of OP is more important in most 
of currently existing use cases, such as social bookmarks and online 
albums. In those use cases, RPs are providing something valuable and 
should be protected. However, the balance of importance between OP an RP 
will switch when OP retains valuable data of users and has strong 
credibility, such as financial institutes or telecom carriers. We might 
not even need reputation for those organizations.

NRI is a system integrator. Our perspective is closer to those 
organizations rather than Web2.0 service providers. But we understand 
their perspectives, too.

> http://wiki.openid.net/Reputation
> 
> For our use cases in R&E, the reputation of both is important.  The 
> OP/IdP is trusted to send accurate information about real users, and 
> login users properly.  The RP is expected to treat user data with 
> caution and not receive more information than they need.
> 

This is the most important reason why we include contract negotiation 
processes in the TX. In our real use case, RPs(travel service providers) 
know that the OP(airline) is trustworthy because it is center of their 
business ecosystem. This model lowers barrier for RPs to join business 
community (because they don't have to manage customer information, 
payment and so forth. And they can reach mass of existing customers 
easily). And also this model encourage RPs to competing each other by 
evaluating reputation scores. So, the business community grows and 
evolves organically.

>>> 2)  How do providers decide which reputation service to use and 
>>> trust, since anyone can set one up?
>>>
>>
>> We are expecting that reputation services or realm organizers are 
>> likely to be the same role as SSL certificate providers for web sites. 
>> The difference from SSL providers is that OP's credibility is built on 
>> OP's history of behavior and evaluation from many RPs.
>>
> 
> This makes sense, but it triggers another question.  This becomes 
> relevant when you see my comments on #3.
> 
> Can reputation services connect?  In other major reputation systems 
> there is input from many different services.  Think about credit 
> ratings: there are many ratings agencies, and each of them is fed with 
> information from many sources.
> 

I don't think that source of data which calculates reputation score 
should be generated in a single reputation service. The sources should 
be mashed up if necessary. But our use case is still closed in a 
specific domain.

If OP can evolve to some kinds of credit rating agencies, 
interconnection of all data sources and reputation results(which can be 
sources to other reputation services) is mandatory. But I still don't 
know how it happens. We haven't explored that far yet. I just hope that 
the output of this TC will facilitate the solution you are looking for.

> 
> We have an additional constraint.  There are forms of "reputation" for 
> OP's and RP's that only one entity could assert.  For example, we want 
> to say that an OP/RP is a member of a particular group.  That group 
> could imply many different and specific things that are useful for 
> trusting identity information; for example, "part of the University of 
> California System".
> 
> I'd love to be able to pass back more information about other reputation 
> systems so that the main "SSL" style system could allow the OP/RP to 
> chase a reference to find out whether its partner is part of the 
> University of California, for example.
> 

I think that this use case is a kind of *certified attributes* or 
whatever you name it. I am not sure this is in scope of reputation. My 
view of reputation data is something quantifiable and measurable 
objectively, so both human and machine can evaluate it. It is also 
dynamically re-calculated by inputs, so it changes frequently. To come 
up the distinctive and rigorous definition is a part of the TC work. 
Therefore, I leave this to the TC. Please consider this is my version.

> I really appreciate the feedback and your hard work,
> Nate.

Thank you very much for valuable comments and inputs;-)

Tatsuki