[ANNOUNCE] Global Web Of Trust Standards Workgroup

[PLATO]

The bitcoin community (and internet as a whole) will benefit if we can create a truly global web of trust.

As Bitcoin grows, more services will be based on trust. Maybe we'll see a classifieds site (BitListings?) where you're willing to ship your junk across the country in exchange for bitcoins to trusted parties. Maybe "CryptNet" from The Diamond Age will show up. Exchangers (e.g. Coinpal -otc) are already using trust-based systems.

The workgroup will oversee the creation of a standard to allow all of these systems to interact. The primary goal is to decide on an API that will allow sites to share their trust data. Some sites will opt to keep their trust data internal, which is fine. However, the advantage of creating a global web of trust is that your -otc ratings will show up when you use BitListings. This would help solve a lot of trustability problems.

I've purchased some web hosting which is currently located at bitcoin.subvert.me. It's still empty.

I've set up a mailing list to start hashing out the low level details (like what to put on the site.) Join the list by emailing bitcoin-join@subvert.me and leave by emailing bitcoin-leave@subvert.me. Emails sent to bitcoin@subvert.me will go to the whole list. You can set an option to receive a single daily digest email here. We can use a lot of different opinions - users, developers, site owners are all encouraged to help us create the best possible system.

BTW - I have never created a standard before, if you have experience with this, your input will be especially valuable.
PLATO

[Garrett Burgwardt]

I don't have much experience either but I'm certainly willing to help out.

One thing I'd say is critical to have is an easy way in and out. Nanotube will vouch for me being the most vocal about how much a pain in the ass GPG is for people who aren't running linux or a specific irc client. Maybe a database that will send your credentials for you given the password to the gpg key?

Anyway, I'm on the mailing list.

[Matt Corallo]

One thing I'd say is critical to have is an easy way in and out. Nanotube will vouch for me being the most vocal about how much a pain in the ass GPG is for people who aren't running linux or a specific irc client. Maybe a database that will send your credentials for you given the password to the gpg key?

Totally agree, its a real shame gpg is so hard to get going on Windows but it is so ideal for situations like this...maybe working on a better gpg for windows is the first step to this .

In any case, it is also important to strictly define how trust is given.  Arbitrary numbers don't always work so well (see -otc's 1 == I made a trade for 100 BTC or I sent someone 1 BTC and they sent it back).  Also, trust is given in different areas and doesn't necessarily cross over.  For the next release of bitcoin (0.4.0) the build system will be made distributed and based on trust assigned to the gpg keys of various developers who build and sign a bitcoin binary deterministically, just because I'd trust someone on a 1000 BTC transaction doesn't mean I would trust them to build bitcoin safely, I might only trust someone with a 1 BTC transaction, but I know they would never sign something which they put a virus in. 

[error]

Interested in following this, but words cannot describe how much I despise the mailing list format, especially for anything vaguely important.

[Vasili Sviridov]

Actually, getting GPG on windows is not that bad, albeit being bit roundabout. Just install Mozilla Thunderbird and the install Enigmail plugin for it.

[Garrett Burgwardt]

There's a very easy way to /install/ gpg on windows.

The problem comes from authing taking multiple copy and pastes which is a huge hassle, and it is also just a daunting task for many people who aren't computer savvy.

[Cryptoman]

You could also sign up for an email account with hushmail and use their GPG tools.

[PLATO]

Interested in following this, but words cannot describe how much I despise the mailing list format, especially for anything vaguely important.

The only real purpose of the mailing list is to figure out how to manage the project. (e.g. what's the best way to communicate, what tools to use?)

Pasting from the (only) message I've sent to the list so far:

One of the first things we need to do is set up a project tracking
website to keep everything efficient. I just purchased hosting for
4btc/mo from soulacehosting.net and have set up the site
http://bitcoin.subvert.me. What should go there? Git repos? Trac?

The initial goal of this project as  is to come up with a standard,
or set of standards, governing webs of trust. The WOT model
is really useful in a lot of different contexts, and one of the neat
things about them is they're exportable. #bitcoin-otc's databases are
public, here: http://bitcoin-otc.com/otc/  They use GPG keys as
identities, with a meta layer on top of that (viz. rating and a
comment). This data could easily be exported as plaintext and imported
to any site that wanted to initialize or update their trust database.

Some initial thoughts:
-If many sites all publicize their ratings, they can create a truly
global web of trust and everyone benefits. if everyone keeps their
data private (or simply inaccessible), everyone loses
-Sites may have different internal implementations, but should use a
JSON or similar API to share trust data
-Design to allow crypto schemes other than GPG
-Draft some ways to audit public trust DB's. This way we can detect
site owners tampering with ratings (maybe the site operator signs each
rating)
-How to deal with merge conflicts? Alice may have a high rating on
site A and a low rating on site B when site C imports trust ratings
from both A and B