We have had several requests for us to explain more about our Trust framework, so I thought I would put a summary of our thoughts in a post.

The general aim is to provide a Trust architecture that mirrors the real world of Trust and Claims. In the real world most claim interactions happen Peer-to-Peer and are unmediated – hence our model of privacy and control.

We currently recognise four levels of Trust for Identities and we let user’s decide which level for which Identity they wish to use or accept (note that this is a more general solution to the Social Networking model which typically only recognizes two or three levels). Trust is reflected by certificates linked to the Identity Claim. Trust is assigned at the Facet (individual Identity Claim) and Persona (collection of claims) levels.

1)       Unverified Claims: eg an “About me” claim, unverified by any means.

2)       Peer verified claims: eg A “recommendation” claim is certified by “friend” using their friend@othermail.com Identity. Since I trust “friend” I trust the claim “recommendation” These are typically useful for reputation based Facets.

3)       Glynx verified claims: for major communications IDs we run a Glynx verification service. This is backed up by an HSM based certificate assigning service. Currently we verify claims for email addresses, mobile phone numbers and Skype IDs. Of course others are possible but we selected those to give users a taste of the general solution (and cover some of the major bases). Expect us to verify other types of claims in future. However, we do not intend to become a claims verification business.

4)       Identity Provider Claims: Identity Providers can offer the strongest certification of claims (for example a phone company is the best certifier of your phone number). At the moment the architecture recognizes this claim type but the API is not yet open for Providers to certify claims. Watch this space…

Our aim is to eventually open up the API to enable third parties (especially Identity Providers and holders of reputation credentials, so your reputation becomes portable) to certify claims directly into our peer network.

 Claims can be held in several places:

• Privately – i.e. I keep claims in a private repository and only issue them to you directly as required (cloud or device based of course)
• In Blackpages – this is our P2P directory Summary of Blackpages. This enables claimants to publish, search, and associate claims with privacy and control. Exchange and digest happens P2P.
• In a hosted Yellow directory – Examples of this are the typical web directory you are familiar with such as Google, ebay, Facebook, etc.. Other sorts of this directory include network directories (not just Yellow pages but also the directories held in switches, etc.) and government directories (such as centralised medical records). Significantly these are held and mediated by a third party and you trust the third party to provide the “truth, the whole truth and nothing but the truth” in providing listing publishing, search and association services.

The Blackpages directory is significant. Because all current directories, are essentially mediated, they are managed in the interests of the hosting organisation. For example your VoIP Identity rarely listed in your telco provider’s directory (even though this might be useful), Social Networks do not typically provide details of other Social Networks you belong to in your profile. Even if they did contain this Identity information you could you trust them to provide it to Identity requestors in a way that always meets requestors interests? You generally have to hunt around for all this claims information in an unsystematic way.

Blackpages enables systematic publishing, search, association and exchange of Identity information with a master directory of all possible user identities across all possible services in a way that means entries are generally only controlled by the user.

The Trust framework takes care of the level of search, association and exchange users are prepared to accept but we do not mandate a trust level. It is buyer beware which puts the responsibility for interpreting Trust on the claimant and recipient, like the real world.

So Blackpages can act as a meta directory across all your Private White directories. We want this to drive innovation back into the directory space: for example when I browse a Social Networking user homepage it might be nice to see what other places outside of the Social Network you could find information about the user or their activity. With the Blackpages directory and Glynx I can do this (once our browser plugin/API is complete J ). I may use many good Social Networking products that we would benefit from using together but it is too hard for you to find out about them.

The Black feature is important as it prevents threats to Trust of spam/hack/unauthorized observation attacks, etc. so eliminating the need for user self censorship to prevent these threats. All hosted directories are to some extent open to these threats which is why no hosted directory can become the master directory n matter how well it is managed or what promises the directory controllers make.