Re: [freehaven-dev] some trust thoughts

["Michael J. Freedman" <mfreed@MIT.EDU>]

At 07:25 AM 2/3/2000 -0500, you wrote:
>Trust:
>  I would like to hash explicit lists for:
>    a) the types of broadcasts that the trust system will want to be
>       doing. how frequent will this be really?
>    b) the list of boolean functions which we want the trust system to
>       be able to answer. things like "should we do this trade (large
>       pile of arguments)?"
>    c) the list of events which the trust system wants to be informed
>       of, and how much detail it wants for each event.
>  I realize that these lists can't be complete at this point because
>  there are things we'll find in the future that change them. But I want
>  to get started on them asap.

i)  keeping trust dynamic

So I had a question about the use of trust;  namely, how we probably want a
dynamic system.  Once a certain node has fallen below a level of trust
(i.e., it's new, I don't have any idea;  or, it's bad, I don't trust),
there might develop a certain "local minima" of this.  In other words, if a
server doesn't trust another, it doesn't really deal that much with it,
therefore, it's concept of the other's trustiness doesn't move up from
below some threshhold.  (Obviously, broadcasts might affect this, but
anyway...)

I think something to continue would be a purposeful excitation of trust.
i.e., if A doesn't have any "share balance" with B, it doesn't currently
have anything to test for (does B still have a valid copy of what I traded
with it;  if it does, A's trust in B goes up).   So, we want A to
occasionally trade garbage with B, such that it really doesn't care whether
or not there garbage shares are ever lost, but they will serve to gain/lose
trust with B.   This might be something that naturally happens when B
initially joins the servnet, but it is also important as B might becoming
good/evil after already established in the servnet.  B obviously shouldn't
be able to determine whether it has received "trust testing garbage" from A
or not, so that it acts normally.


ii) trust:  dropping shares v. poor judge of others

Secondly, I'm sure this has been thought about, but thought I'd explicate:

A trades foo with B, keeping copyA(foo).
B trades foo with C, keeping copyB(foo).

A asks B for foo, to test if it has been dropped or not.
B asks C for foo, to return share to A.
C has dropped foo.

if B still has it's copy of foo, return copyB(foo).
	this is fine, 	B is still trustworthy for A, 
			B broadcasts that C has dropped
if B no longer has copyB(foo), 
	B's trust of C to keep shares goes down.
	A's trust of B .... to keep shares (???) ... goes down

This is slightly a different situation that normal.  It's B's
decision-making and ability to trust others that is faulty,  not it's
ability to not drop shares.  Still, I think we should consider this the
same:  even if B has "good intentions,"  A really only cares if B can
ensure that shares it receive will stay in the servnet.  It's failed in
this regard, be it by poorly trusting C instead of dropping foo itself.
But I don't think that matters much.

Thoughts?
--mike
.  


---------------------------------
  Michael J Freedman

Mail:  mfreed@mit.edu
Web:     griffen.mit.edu
Phone:    617.225.9381