19/09/2003brian matthews, eurocris 1 semantic trust: the challenges of e-trust for cris brian...

19/09/2003 Brian Matthews, euroCRIS 1

Semantic Trust: the Challenges of e-Trust for

CRIS

Brian Matthews


CRIS futures

• Distributed anonymous access

• Connecting different CRISes together,

• CRISes becoming part of larger distributed systems – GRIDS,Ambient,Virtual Organisations

• Heterogeneous Users, Heterogeneous Data, Heterogeneous Use

• Links to data, publications and computational resources

CurrentResearchInformationSystemsServices


Example: Virtual Organisations

• Transient Virtual Organisations.

• There are major issues in establishing such Vos.

An engineer within organisation A wants to perform an analysis on a material. By accessing a CRIS portal at site B, she discovers a suitable data set held by a data archive C. The analytical tools are

provided at university D within her Virtual Organisation. She initiates the analysis by passing the reference to the data set from B to D, which is

then accessed by the analysis tools. D then determines that it does not have enough

computational resource available, and determines that a computer is available at different institution E

and delegates part of the job there. Finally, D completes the job and return the results to A. D also

caches the results of the analysis locally and registers the fact that the precomputed results are available with the portal B and the data provider C. However, the analysis has taken several hours, so the engineer has established a user proxy agent to represent her, collect the results, make payments as appropriate and close down the collaboration.

A

E

D

CB


Requirements of e-Services

• Functional requirements – Service delivery

• Non-functional requirements– The behaviour of the agents involved

respect expected norms.– Required Behaviour is outside control of

participants.


Non-Functional Requirements

• On the User:– Respect the integrity of the CRIS,

• Do not try to access areas beyond authorisation• Do not act maliciously within the CRIS.

– Do not break any restrictions on the use of data.– Respect any future obligations – e.g. payment.

• On the CRIS– Provide quality information– Respect the privacy and wishes of the user and

depositor.


Specialised standards

• Secure MIME (S/MIME)• Open PGP (OpenPGP)• XML digital signatures

(XMLDSIG)• XML encryption (XMLENC)• X.509 Public Key

Certificates• Internet X.509 Public Key

Infrastructure (PKI)• XML Key Management

Services

• Kerberos ticket issuing systems

• Security Assertions Markup Language (SAML)

• Extensible Access Control Markup Language (XACML)

• Web Services Security (WSS)

• Platform for Internet Content Selection (PICS)

• Platform for Privacy Preferences (P3P)

Standard security approaches to managing aspects.

• Inflexible, do not evolve over time, not context or person sensitive

• Reliability criteria poorly covered

• Looking for a more flexible model – Analyse TRUST.


Problem Characterisation

• Across open distributed systems (Web, Grid)

• Establish relationships with agents with no prior knowledge – uncertain behaviour

• Allow access to semi-closed resources.

• Context based decision making– What is being done– Who they are– Experience– Context

• What do people do?– Provide a legal framwork

to constrain behaviour– Consider how they trust

others– Weigh up risks– Devise policies to

balance costs and benefits

– Establish contracts to reduce risk

• Can machines do this too?

TRUST

+: Belief that Good behaviour do happen (reliability, QoS,)

-: Belief that Bad behaviour doesn’t happen (security, fraud,

privacy).


A Working Definition of Trust A Working Definition of Trust

This period may be in the past (history), the duration of the service (from now and until end of service), future (a scheduled or forecasted critical time slot), or alwaysThis period may be in the past (history), the duration of the service (from now and until end of service), future (a scheduled or forecasted critical time slot), or always

Dependability is deliberately understood broadly to include security, safety, reliability, timeliness, maintainability

Dependability is deliberately understood broadly to include security, safety, reliability, timeliness, maintainability

The measurement may be absolute (e.g. probability) or relative (e.g. dense order)The measurement may be absolute (e.g. probability) or relative (e.g. dense order)

Trust is relative to a specific service. Different trust relationships appear in different business contextsTrust is relative to a specific service. Different trust relationships appear in different business contexts

Trust of a party Trust of a party AA to a party to a party BB for a service for a service XX is is

the measurable belief of the measurable belief of AA in that in that BB behaves behaves dependably for a specified period within a dependably for a specified period within a

specified context (in relation to service specified context (in relation to service XX))


A Working Definition of Distrust A Working Definition of Distrust

Distrust of a party A to a party B for a service X is A’s measurable

belief in that B behaves non-dependably for a specified period within

a specified context (in relation to service X)

We need distrust in order: • revoke previously agreed trust when entities are trusted, by default,

• to capture “being blacklisted’’ for a class of potential business

transactions.

• etc ..


Building Trust into e-Services: Why?

e-Services are now central for European business and in daily life Marked expansion in: Electronic services based on the Internet,

Web and mobile networks

However, there is still major concern about the trustworthiness of e-Services:

"While internet penetration is growing rapidly, all the evidence "While internet penetration is growing rapidly, all the evidence shows that consumer confidence in the e-commerce medium itself shows that consumer confidence in the e-commerce medium itself and in cross-border transactions remains low.and in cross-border transactions remains low.

E-commerce, therefore, is an insignificant part of final E-commerce, therefore, is an insignificant part of final consumption within the European Union – significantly below 1% of consumption within the European Union – significantly below 1% of

total retail sales."total retail sales." [David Byrne, European Commissioner for Health and Consumer Protection]


Building Trust into e-Services: Why?Building Trust into e-Services: Why?

For e-services to achieve the same levels of For e-services to achieve the same levels of

acceptance as their conventional counterpartacceptance as their conventional counterpart

trust managementtrust management has to become an has to become an

intrinsic part of e-service provision.intrinsic part of e-service provision.

“Despite the presence of effective base technologies, there remains a need for further innovation before trust can be managed efficientlymanaged efficiently at the service level.” Patricia Hewitt - UK minister for e-commercePatricia Hewitt - UK minister for e-commerce


Building Trust into e-Services: How?

Incorporate trust elements in e-service technologyIncorporate trust elements in e-service technology

analyse trust requirements for e-services model trust in the development of e-services

• Take into account risks and legal framework

• Develop policies and contracts based on trust

• Subject of the next section Thanks to Theo Dimitrakos

integrate trust management in the deployment of e-services

• Especially, how do we integrate trust management into

established open distributed systems

• WWW, Grid

• This is the subject of the rest of this talk

• Ideas and work in progress


A Working Model of Trust A Working Model of Trust Structural Properties of Trust Relationships Structural Properties of Trust Relationships

–Its measurement is based on evidence, experience and perception.

SallySally RobRob

JohnJohn

John trusts Sally to keep his savings John trusts Sally to keep his savings moremore than he trusts Robthan he trusts Rob

Trust is a measurable belief Trust exists and evolves in time–Trust relationships expire. –The level of trust may change over time

John trusted Sally to ride a bike 30 years John trusted Sally to ride a bike 30 years ago. He does not trust her any more.ago. He does not trust her any more.

TIME TIME

30 years


Trust is relativised to a service Trust between collectives does not necessarily distribute to trust between their members

John trust her tutees to do well in their John trust her tutees to do well in their group project but he does not trust Mary to group project but he does not trust Mary to do well in her part do well in her part (John thinks Mary does most of the work) (John thinks Mary does most of the work)

Mary trusts Sally to baby-sit but not to Mary trusts Sally to baby-sit but not to drive her car. drive her car.




• Measuring self-trust facilitates delegation Measuring self-trust facilitates delegation

Trust is reflexive - yet trust to oneself is measurable

Trust is not necessarily transitive

Mary trusts her lawyer to win her case in Mary trusts her lawyer to win her case in court more than she trust herself to do so court more than she trust herself to do so

– John trust Bob to be his barber John trust Bob to be his barber – Bob trusts Nick to be his barberBob trusts Nick to be his barber– John does not trust Nick to be his barberJohn does not trust Nick to be his barber

(John has had bad experience with Nick and he (John has had bad experience with Nick and he is able to chose between Bob and Nick is able to chose between Bob and Nick

-- Bob cannot cut his own hair )-- Bob cannot cut his own hair )


A Working Model of Trust A Working Model of Trust Transference of Trust Transference of Trust

• Guarantor offers a formal promise or assurance, that all obligations of the parties she guarantees for will be fulfilled in the context of a transaction and will be of a specified quality and durability.

• Intermediate intervenes between other parties in a business transaction and mediates so that they establish a business relationship with or without their knowledge.

• Adviser offers recommendations about the credibility of another party.

Trust is (unintentionally) transitively transferred along certain mediating parties.

Dimitrakos IFIP I3E 2001


A Working Model of Trust A Working Model of Trust Transference of Trust: Transference of Trust: Guarantors

• All parties involved have to exhibit sufficient trust in each other or in a guarantor in order to be engaged in a business transaction.

• Trust established through a guarantor is not necessarily (directly) transferable.

A B

G

B C

G

A C

G

• Indirect ways to transfer trust via hierarchies of guarantors may be feasible.

A B

G

B C

G

A C

G’;G

G’


A Working Model of Trust A Working Model of Trust Transference of Trust: Transference of Trust: Intermediates

Intermediate is a party that intervenes between other parties in a business transaction and mediates so that they establish a business relationship with or without their knowledge.

– Transparent: an intermediate who identifies the parties she is mediating between to each other.

– Translucent: an intermediate who identifies the existence of the parties she is mediating between to each other but not their identity.

– Opaque: an intermediate who hides the existence of the parties she is mediating between from each other.

–Proxy: an intermediate who is authorised to act as a substitute of another entity.



(Dis)trust is not transferred along an opaque intermediary

• Mary trusts John’s cooking - she likes the Mary trusts John’s cooking - she likes the

meals John prepares for her. meals John prepares for her.

• John buys off the self precooked meals John buys off the self precooked meals but he doesn’t tell Mary. but he doesn’t tell Mary.

Trust is transferred along transparent intermediaries

– distrust is not.• John sends his products via Royal Mail.John sends his products via Royal Mail.

• Mary decides to purchase John’s Mary decides to purchase John’s products. She expects the products to be products. She expects the products to be delivered as agreed. delivered as agreed.

• Mary places her trust on the Royal Mail Mary places her trust on the Royal Mail delivery service.delivery service.



(Dis)trust in a subcontractor of a transparent intermediary is transferred to (dis)trust in the intermediary.

Trust is transferred anonymously along translucent intermediaries

– distrust is not.

• Mary considers changing health Mary considers changing health

insurance because she does not trust the insurance because she does not trust the

private hospital she is being referred to. private hospital she is being referred to.

• John sends his products via courier.John sends his products via courier.

• Mary decides to purchase John’s Mary decides to purchase John’s products. She expects the products to be products. She expects the products to be delivered as agreed. delivered as agreed.

• Mary places her trust on the John’s Mary places her trust on the John’s choice of delivery service.choice of delivery service.


A Working Model of Trust A Working Model of Trust Transference of Trust: Transference of Trust: Advisors

• Trust in an advisor is transferred to the recommended party - distrust is not. – The more A trusts T the more she relies on her recommendation.

• Distrust in a recommended party is transferred to the advisor – trust is not. – A’s distrust in a party B recommended by T for a service X prompts A to question T’s competence as an advisor for X.

• Advisors distinguish between recommendations based on “first hand” and

“second hand” evidence. In the latter case they ought to identify their sources. – If T1 and T2 pass to A advise by T as their own observations then T gains an unfair

advantage in influencing A.


A Working Model of Trust A Working Model of Trust Transference of Trust Transference of Trust

Trust and distrust are allowed to be transferred in opposite directions

This does not necessarily result in a conflict

Distrust propagates through trust.

Distrust obstructs the propagation of trust.

If A distrusts an intermediary T for a service X then A will ignore T's mediation to the extent of the distrust.


Formal Presentation of Trust

Subjective logic (Jøsang)

Addresses the problems of forming a measurable belief about the truth or falsity of an atomic proposition denoting a state, event or identifying an agent, in the presence of uncertainty.

Addresses the problems of forming a measurable belief about the truth or falsity of an atomic proposition denoting a state, event or identifying an agent, in the presence of uncertainty.

Integrates classical logic and a theory of subjective probabilities based on an extension of the Dempster-Shafer theory of evidence . Integrates classical logic and a theory of subjective probabilities based on an extension of the Dempster-Shafer theory of evidence .

An opinion is a triple where:An opinion is a triple where: b measures belief, represented as the subjective probability that the proposition b measures belief, represented as the subjective probability that the proposition is true;is true; d measures disbelief, represented as the subjective probability that the d measures disbelief, represented as the subjective probability that the proposition is false; proposition is false; u measures uncertainty, represented as the subjective probability that the u measures uncertainty, represented as the subjective probability that the proposition is either true or false;proposition is either true or false; b+d+u=1b+d+u=1

A strong correlation between this opinion model and the probability density functions A strong correlation between this opinion model and the probability density functions associated with the beta distribution ensures that opinions can be deterministically associated with the beta distribution ensures that opinions can be deterministically established if all available evidence can be analysed statistically.established if all available evidence can be analysed statistically.

An opinion is a triple where:An opinion is a triple where: b measures belief, represented as the subjective probability that the proposition b measures belief, represented as the subjective probability that the proposition is true;is true; d measures disbelief, represented as the subjective probability that the d measures disbelief, represented as the subjective probability that the proposition is false; proposition is false; u measures uncertainty, represented as the subjective probability that the u measures uncertainty, represented as the subjective probability that the proposition is either true or false;proposition is either true or false; b+d+u=1b+d+u=1

A strong correlation between this opinion model and the probability density functions A strong correlation between this opinion model and the probability density functions associated with the beta distribution ensures that opinions can be deterministically associated with the beta distribution ensures that opinions can be deterministically established if all available evidence can be analysed statistically.established if all available evidence can be analysed statistically.


Analyse Trust: Trust ManagementAnalyse Trust: Trust Management

It is the total process of identifying, controlling and minimising the impact of deception and failure in trust.

It analyses threats and trust inclinations while supporting the formation of dependable intentions and controlling dependable behaviour.

Trust management subsumes and relies on risk analysis and risk management.

BehaviourBehaviour

IntentionsIntentions

InclinationsInclinations

Trust Management aims to maximise trust while minimising risk.Trust Management aims to maximise trust while minimising risk.

What about the deployment?


Supporting Trust: Web Services?

• Increasingly popular standards-based framework for accessing network applicationsWSDL, SOAP, WS-Inspection, UDDI etc

However for Trust we need to be able to – Specify what actors want to do

– Specify in what contexts actions take place

– Specify recommendations and trust valuations about resources

– Need to share vocabularies and agree common meaning of terms

– Capture Experience

– Provide reasoning about trust statements

• The Semantic Web offers a set of tools which can support the implementation of Trust


Semantic Web:Add Meaning to Resources

•The Semantic Web adds well-defined meaning to describe the Web (Metadata)


Semantic Web: Layered Architecture

“The Web of Trust”


Web of Trust?

Trusted statements through proofs over signed statements and rules.


• Establishing that the interactions between actors on the Web are trustworthy– Security: access control, authentication and authorisation and policies– Reliability and dependability– Quality ratings– Personalisation: Privacy, confidentiality, user preferences, accessibility – IPR

• Dynamic virtual organisations over Web Services– Transferring trust from third parties– Establishing service-level agreements which can be relied upon

• Establishing trust between agents that have no prior knowledge of each other – prevent the growth of future wide area distributed systems

Trust on the Web


SWAD-Europe

Semantic Web Advanced Development in Europe

• Purpose is to encourage the use of Semantic Web tools and techniques now:– By an outreach programme– By developing practical demonstrators– By providing tools and standards

• Partners:– Univ. of Bristol, W3C-INRIA, CCLRC, HP Labs,

Stilo


SWAD-Europe: WPs

Thesuari Queries

Trust

Semantic Portals

SW + WS Semantic Blogging

XML + RDFAccessibility

Scaleability

AnnotationsDatabases

Visualisation


What we want to do?

• Survey of Web and trust methods– Those already in Semantic Web: PICS, P3P, CC/PP– Other Web trust initiatives: XSig, XEncrypt, XACML, SAML, – Other distributed trust work: e.g. Ponder, trust evaluation.

• Usage scenarios of trust on the Web– E-Commerce, access control, …

• Framework for Trust within the Semantic Web.– Ontologies for trust statements– Applying trust policies

• Develop tools for processing RDF statements against policies.

• Relate general trust values across all the applications– A general trust framework for the Semantic Web


Towards a Framework for Trust using the Semantic Web

• A representation of trust statements in RDF

• E.g. “A has trust in B to do X in context Y in time period (T1, T2) to value 0.8”

A

T2

X

0.8

B

T2

trusts

trustee

value

action

Y

contextendbegin


Towards a Framework for Trust using the Semantic Web

• Or use Classes to represent general rules• E.g. “A has trust in members of Class C to do X in context Y

in time period (T1, T2) to value 0.8”

• With WebOnt gives the possibility of more complex rules for trust valuations.

A

T2

X

0.8

C

T2

trusts

trusteeClass

value

action

Y

contextendbegin


Propagation of Trust through Semantic Networks

• The Semantic Web provides a semantically rich network of resources

• Add trust valuations to links (from 1-9)

• Calculated the propagation of trust via the rules in the above framework

• Link to Citations??

Golbeck, Hendler and Parsla 2002

A

B

n

jij

n

jjsijij

jsijijjs

is

t

ttift

ttiftt

t

0

0 2 )(

)*(

6

8

9

2

8

9

3

6

6

76

5


• Platform for Internet Content Selection (PICS) - quite an early Recommendation from the W3C (October 96).

• Labels, Filters, Rating – a set of categories on a rating system• PICS Rules - Defining a filtering policy

Ratings Services


PICS and Trust

• One of the aims of the RDF effort was to provide a generalised way of doing rating. – Now a proposed RDF format and

under reconsideration

• PICS is about Third parties providing additional properties about resources – its ideal for trust! – Use RDF/PICS vocabulary to define

recommendations.– PICS services become

recommendations services

• Generalise this method to provide a trust recommendation service

<rdf:Description xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:p="http://www.w3.org/TR/WD-pics2.0#" xmlns:gcf="http://www.gcf.org/v2.5#" about=""> <p:by>John Doe</p:by> <p:until>1995.12.31T23:59-0000</p:until> <rdf:Description about="http://w3.org/PICS/Overview.html"> <p:until>"1995.12.31T23:59-0000"</p:until> <gcf:suds>0.5</gcf:suds> <gcf:density>0</gcf:density> <gcf:hue>1</gcf:hue> </rdf:Description> <rdf:Description about="http://w3.org/PICS/Underview.html"> <p:by>Jane Doe</p:by> <gcf:subject>2</gcf:subject> <gcf:density>1</gcf:density> <gcf:hue>1</gcf:hue> </rdf:Description> </rdf:Description>


Trust Policies and Statements in RDF

• Express policy in RDF

• Present a trust statement to the Policy in RDF

• Proof satisfaction of one to other

• Problems: e.g. representing free variables.

• RuleML etc

Edit_forms

hasPolicy

FRSPolicy

Policytype

positivesubject Liz

typeEmployee

Project Manager

jobtitletarget

type

PolicyStatement

/Finance/FrSWeb/Lookup

action

Bag

_1load

_2displa

y_3

fill

_4submi

t

type


Trusted Web Architecture

Trust enabled web gateway

resources

Policy store

TrustBase

Trust reasoning

engine

Accessing agent

Recommending agent

RDF trust Statements

BehaviourBehaviour

IntentionsIntentions

InclinationsInclinations

riskrisk

Trust ManagementSystem

Intranet Internet

RDF Store(Jena)

PICS

RDF Net API

Rules(RuleML, CWM)


Trust, Ontologies and Proof

• Use Web Ontologies work to: – Provide web accessible description of trust

properties and policy frameworks– Add domain ontologies to customise to

applications – role based trust management– Proof to demonstrate satisfaction of policy

• Initial Case study:– Frank Dale: Oxford Brookes Univ. MSc student – RDF formats for Access Control policies and – Added domain ontologies for role based access

control.– Using XSLT to prove satisfaction of policies.


Ontology enabled role-based access control

• Frank Arild Dale’s work (MSc Oxford Brookes)

<p:View> <rdf:Description> <p:memberOfClass>OBU</p:memberOfClass> <daml:disjointUnionOf> <rdf:Description> <p:Teaches>course3</p:Teaches> <p:Attends>course3</p:Attends> </rdf:Description> </daml:disjointUnionOf> </rdf:Description></p:View>

Access control statements in RDF

Using vocabulary from domain ontology

<p:Professor rdf:about="frank"> <p:Teaches>course3</p:Teaches> <p:Located>Wheatley</p:Located> <p:worksInField>Computer Science</p:worksInField></p:Professor>

Statements about individuals in domain ontology

RDF reasoning tool to determine access


Ontology-based access control


So Trust and CRIS

• Three aspects of Trust for CRIS– Establish that they are trustworthy services

• Good practise for digital curation, formal processes, good quality of service

– Show trust in users• Develop policies and contracts to control participation in

Virtual Organisations.• Change in trust in users changes over time.

– Provide indications of trust in others• Citations and Impact analysis• Quality metrics and ratings services• Analysis of networks of influence


Some observations

• Trust recommendations would be an extremely valuable commodity.– Part of a company’s commercial property– Would they want to reveal it?

• Trust could become a tradable commodity– “trust-rating agencies” (like credit rating agencies

• Legal implications?– Would you get sued for down-rating?– Need to provide reasons (“Proof” in Web of Trust)

• “Accurate” valuation of Goodwill– Your goodwill asset is everybody else’s trust in you!– Business in collecting such information!


Will Trust work?

• Will automatic trust management be used as a practical means to enable the use of e-services?

• NO: – Too conceptual an approach– Relies on humans– Open to abuse– People won’t trust the trust mechanism– Rely on traditional security measures and “word of

mouth”

• YES: – There is at least one example where trust works


Ebay: a success story for trust

…the company philosophy remains pretty much the same: trust in human nature.

…

Fraud is a concern to the company, concedes Donlay [ebay spokesman]. 'But it is not a massive problem. Of the 195 million items listed for auction last year, less than one hundredth of one percent of the transactions ended in some kind of fraud. We are taking every step we can to protect people and make sure their eBay experience is a good one,' he says.

Observer, 2 March 2003


Why does ebay work?

• Trusts its customers• Buyers and sellers

accumulate reputation

• Trust propagation through trusted sources

• Underpinned by a “guarantor of last resort” and punitive sanction

Community Values eBay is a community where we encourage open and honest communication between all of our members. We believe in the following five basic values.

• We believe people are basically good. • We believe everyone has something to contribute. • We believe that an honest, open environment can bring out the best in people. • We recognise and respect everyone as a unique individual. • We encourage you to treat others the way that you want to be treated.

eBay is committed to these values. And we believe that our community members should also honour these values -- whether buying, selling, or chatting. We hope these community values will help you better understand the eBay community.

We should try to emulate this example


Modelling Trust: Final Word

Effective solutions require interdisciplinary approaches which provide a fertile ground for the application of many tools from cognitive sciences, law and economics in addition to computer science.

Effective solutions require interdisciplinary approaches which provide a fertile ground for the application of many tools from cognitive sciences, law and economics in addition to computer science.

Effective implementations over open architectures require the effective transmission of context and intention, and the Semantic Web is a strong candidate to provide that infrastructure.

Effective implementations over open architectures require the effective transmission of context and intention, and the Semantic Web is a strong candidate to provide that infrastructure.

The iTRUST European Working Group

http://www.bitd.clrc.ac.uk/Activity/iTrust

2nd Int. Conf. on Trust Management, Oxford, UK, 29-31 March 2004

SWAD-Europe

http://www.w3.org/2001/sw/Europe

Semantic WebTrust and Security Resource Guide

http://www.wiwiss.fu-berlin.de/suhl/bizer/SWTSGuide/

[email protected]

TrustCom FP6 projectturn this into reality

19/09/2003brian matthews, eurocris 1 semantic trust: the challenges of e-trust for cris brian...

Documents

cris brian matthews

heterogeneous data

use of data

e d c b slide

requirements of e

data archive

data provider

cris portal