« RESTful and user-centric authorization in OAuth | Main | VeriSign open APIs »

A usable reputation web service

With the rise of social networking, the advent of provable identities, and ways to authorize access, there is a growing need for a reputation system to recognize good content and good people.

I have been working on this and my principles have been that the system needs to:

  • be simple and available as an API,

  • be decentralized and accept other systems to participate,

  • contain security measures that prevent gaming and abuse,

  • be transparent to users so that you know the hows and whys of the score (the correct level needs to be found here to prevent gaming)

  • accept reputation for any provable identity (including other systems),

  • collect explicit scoring from users,

  • implicitly derive reputation of identities by observing current and past behavior,

  • associate multiple identities. This means that http://alice.example.com should be able to associate her good karma with her secret http://timerider.example.org identity. This association must be kept hidden for others,

  • recognize different categories. A person may be highly rated in some areas, and not in others,

  • use a voting model that matches the real world. This model must be limited and untraceable between all parties. Positive behavior should be rewarded.

APIs needed:

  • Signup. A user signs up by proving to the system that she own a URL. In exchange, the system creates some shared secret that can be used to authenticate (and possibly encrypt) API requests and responses.

  • Bind. Binds an identity to a user’s existing identity.

  • Lookup. Looks up the reputation for a specific category. The set of categories is intentionally kept small for simplicity.

  • Vote. Submits a reputational vote for a user and a specific category.

  • Some security related APIs with a simple way to handle the life cycle of keys and trust.

There could be some possible APIs for user’s profile management, and perhaps statistics.

For the back-end, there are other APIs that needs to be implemented to handle decentralized sharing and calculation of scores. More on that in a later post.

Posted on Tuesday, April 15, 2008 at 09:34AM by Registered CommenterHans | Comments2 Comments

Reader Comments (2)

Wow, what a lucid overview, Hans! There is definitely a need for this kind of thing, and it makes a natural successor to OpenID and OAuth, like you mention. Looking forward to the next post on this topic.

Nice blog.
April 30, 2008 | Unregistered CommenterBenjamin Kudria
Thanks, Ben. I will hopefully get to update this soon.
May 2, 2008 | Registered CommenterHans

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.
Alert
Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.