1
IEEE Communications Surveys and Tutorials, Fourth Quarter 2000, http://www.comsoc.org/pubs/surveys/
A Survey of Trust in Internet Applications
Tyrone Grandison, Morris Sloman
Imperial College, Department of Computing
180 Queen’s Gate, London SW7 2BZ, UK
{tgrand, m.sloman}@ doc.ic.ac.uk
24 January 2001
Abstract
Trust is an important aspect of decision making for Internet applications and
particularly influences the specification of security policy i.e. who is authorised to
perform actions as well as the techniques needed to manage and implement security
to and for the applications. This survey examines the various definitions of trust in the
literature and provides a working definition of trust for Internet applications. The
properties of trust relationships are explained and classes of different types of trust
identified in the literature are discussed with examples. Some influential examples of
trust management systems are described.
Keywords:
Trust specification, trust management, security policy, authorisation, authentication
1 M
OTIVATION
Internet services are increasingly being used in daily life for electronic commerce, web-based
access to information and inter-personal interactions via electronic mail rather than voice or face-
to-face, but there is still major concern about the trustworthiness of these services. There are no
accepted techniques or tools for specification and reasoning about the trust. There is a need for a
high-level, abstract way of specifying and managing trust, which can be easily integrated into
applications and used on any platform. Typical applications requiring a formal trust specification
include content selection for web documents [1], medical systems [2], telecommuting [3], mobile
code and mobile computing [4-6], as well as electronic commerce [7-14]. Our main motivation
in studying trust specification and management is to use this as the starting point for subsequent
refinement into security policies related to authorisation and management of security [15].
However, there are additional reasons as to why trust is an important concept for modern
systems.
The migration from centralised information systems to internet-based applications will mean that
transactions have to span a range of domains and organisations [16], not all of which may be
trusted to the same extent. Inconsistencies in current trust relationships highlight the need for a
flexible, general-purpose trust management system that can navigate these (possibly) complex
2
trust domains. A domain may need to support a range of different trust relationships and hence
be capable of supporting different types of security policy [17].
Trust decisions are currently hard-coded into an application, which adds to the complexity of the
application and the inability to adapt to changes in trust and lack of flexibility when setting up
new relationships. A separation of the application’s purpose and its trust management
framework will offer a more scalable and flexible solution for the distributed environment.
Trust is a vital component in every business transaction. Customers must trust that sellers will
provide the services they advertise, and will not disclose private customer information (name,
address, credit card details, purchases etc.). Trust in the supplier’s competence and honesty will
influence the customer’s decision as to which supplier to use. Sellers must trust that the buyer is
able to pay for goods or services, is authorised to make purchases on behalf of an organisation or
is not underage for accessing service or purchasing certain goods. Thus, for Internet commerce
to achieve the same levels of acceptance as traditional commerce, trust management has to be an
intrinsic part of e-commerce.
Trust is usually specified in terms of a relationship between a trustor, the subject that trusts a
target entity, which is known as the trustee i.e. the entity that is trusted. Trust forms the basis for
allowing a trustee to use or manipulate resources owned by a trustor or may influence a trustor’s
decision to use a service provided by a trustee. Thus, trust can form an important factor in
decision-making [18-20]. The level of trust has an approximate inverse relationship to the
degree of risk with respect to a service or an e-commerce transaction [21-23], but there has been
very little work on using risk management frameworks for trust management or on the analysis
of the exact relationship between risk and trust. In many current business relationships, trust is
based on a combination of judgement or opinion based on face-to-face meetings or
recommendations of colleagues, friends and business partners. However, there is a need for a
more formalised approach to trust establishment, evaluation and analysis to support Internet
services, which generally do not involve human interaction.
In this survey we focus on trust in the context of networked and distributed computing systems,
in which it is not just the remote system that needs to be trusted, but also interactions over
underlying services such as communication services. Our focus is on modelling trust, so that it
can be used in automated systems. Work on the creation of computer frameworks of the entire
social concept of trust, though pertinent, is not our emphasis.
There is considerable variation in the meaning of trust as used in the literature. In the following
section we review the various definitions and suggest a definition applicable to internet services
and then discuss trust properties and relationships in more detail in section 3. In section 4 we
classify the different types of trust we have identified in the literature. In section 5 we introduce
the concept of trust management and in section 6 we describe examples of trust management
solutions in more detail. We elaborate on some of the application areas for trust management in
section 7, followed by a summary of the key ideas and future research directions.
2 D
EFINING
T
RUST
Trust is a complex subject relating to belief in honesty, truthfulness, competence, reliability etc.
of the trusted person or service. There is no consensus in the literature on what trust is and on
3
what constitutes trust management [21, 23], though many research scientists recognise its
importance [24, 25]. The significance of incorporating trust in distributed systems is that trust is
an enabling technology. Its inclusion will enable Internet commerce and seamless, secure agent-
based applications. Despite the need to standardize trust and its related concepts, many
researchers simply use and assume a definition of trust in a very specific way relating to topics
such as authentication, or ability to pay for purchases. However, a few authors have tried to
view trust in a generic way.
Kini and Choobineh [26] in their considerations on the theoretical framework of trust, examine it
from the perspectives of personality theorists, sociologists, economists and social psychologists.
They state that trust, as defined in the Webster dictionary, is:
· An assumed reliance on some person or thing. A confident dependence on the character,
ability, strength or truth of someone or something.
·
A charge or duty imposed in faith or confidence or as a condition of a relationship.
·
To place confidence (in an entity).
They highlight the implications of these definitions and combine their results with the social
psychological perspective of trust to create their definition of trust in a system – “a belief that is
influenced by the individual’s opinion about certain critical system features” [26]. Their
discussion, though general in concept, concentrated on human trust in Electronic Commerce, but
did not address trust between the entities involved in an E-Commerce transaction.
The European Commission Joint Research Centre defines trust as “the property of a business
relationship, such that reliance can be placed on the business partners and the business
transactions developed with them” [27]. This view of trust is from a business management
perspective and offers an interesting analysis of what must be done to enable trust in E-
Commerce. They state that the issues of the identification and reliability of business partners,
the confidentiality of sensitive information, the integrity of valuable information, the prevention
of unauthorized copying and use of information, guaranteed quality of digital goods, availability
of critical information, the management of risks to critical information, and the dependability of
computer services and systems (specifically the availability, reliability and integrity of
infrastructure, the prevention of unauthorised use of infrastructure, guaranteed level of services
and the management of risks to critical infrastructure) are key to the emergence of E-Commerce
as a viable commercial activity.
The Oxford Reference Dictionary states that trust is “the firm belief in the reliability or truth or
strength of an entity”. A trustworthy entity will typically have a high reliability and so will not
fail during the course of an interaction, will perform a service or action within a reasonable
period of time, will tell the truth and be honest with respect to interactions and will not disclose
confidential information. Competence is a better term than strength for the environment related
to services and computing system, i.e. an entity should be capable of performing the functions
expected of it or the service it is meant to provide correctly and within reasonable timescales.
Thus, trust is really a composition of many different attributes – reliability, dependability,
honesty, truthfulness, security, competence, and timeliness, which may have to be considered
depending on the environment in which trust is being specified.
4
Trust is a vast topic that incorporates trust establishment, trust management and security
concerns. The lack of consensus with regards to trust, has led authors to use the terms trust,
authorisation and authentication interchangeably. The outcome of a trust decision is based on
many things such as the trustor’s propensity to trust, its beliefs and past experiences relating to
the trustee.
Authorisation can be seen as the outcome of the refinement of a more abstract trust relationship.
For example, if I develop a trust relationship with a particular student, I may authorise him to
install software on my computer and hence set up the necessary access control rights to permit
access. We define authorisation as a policy decision assigning access control rights for a subject
to perform specific actions on a specific target with defined constraints.
Authentication is the verification of an identity of an entity, which may be performed by means
of a password, a trusted authentication service or using certificates. There is then an issue of the
degree of trust in the entity, which issued the certificate. Note that authorisation may not be
necessarily specified in terms of an identity. Anonymous authorisation can be implemented
using capabilities or certificates [28].
We define trust as “the firm belief in the competence of an entity to act dependably, securely and
reliably within a specified context” (assuming dependability covers reliability and timeliness).
Distrust may be a useful concept to specify as a means of revoking previously agreed trust or for
environments when entities are trusted, by default, and it is necessary to identify some entities
which are not trusted. We define distrust as “the lack of firm belief in the competence of an
entity to act dependably, securely and reliably within a specified context”.
We now examine some of the properties of trust relationships in more detail.
3 P
ROPERTIES OF
T
RUST
R
ELATIONSHIPS
In general, a trust relationship is not absolute – A will never trust B to do any possible action it
may choose. A trustor trusts a trustee with respect to its ability to perform a specific action or
provide a specific service within a context. For example, a person is only trusted to deal with
financial transactions less than $2000 in value. Even trust in oneself is not usually absolute and
there is a need to protect resources you own from mistakes or accidents you may cause.
Examples include protecting files from accidental deletion or mechanisms to prevent a person
driving a car when under the influence of alcohol.
A trust relationship can be one-to-one between two entities, however it may not be symmetric.
A’s trust in B is not usually the same as B’s trust in A. It may be a one-to-many relationship in
that it can apply to a group of entities such as the set of students in a particular year. It can also
be many-to-many such as the mutual trust between members of a group or a committee, or
many-to-one such as several departments trusting a corporate head branch. In general, the
entities involved in a trust relationship will be distributed and may have no direct knowledge of
each other so there is a need for mechanisms to support establishment of trust relationships
between distributed entities.
5
There have been suggestions that trust relationships should not be transitive [23], however, some
trust scenarios do exhibit transitivity. The concept of trust delegation is a prime example of the
application of trust transitivity. When I delegate my trust decisions to another, for example John,
I authorize John to make trust decisions on my behalf. Thus, when I delegate to John and John
trusts an unknown entity (say Tim), John is essentially stating that I trust Tim. According to
Christianson and Harbison in [29] the concept of transitivity should be avoided, as it can result in
entity B adding trust assertions to an entity A’s trust base without A’s explicit consent leading to
unintentional transitivity. We agree that transitivity of trust may have unexpected and adverse
results if it implies updating the trust base of a trustor to include derived assertions, but it is may
be necessary in some situations. We consider transitivity to be inherent in some relationships
and so should be considered in the analysis of trust systems in order to determine which
undesired side effects should be prevented.
There is often a level of trust associated with a relationship [30]. Some entities may be trusted
more than others with respect to performing an action. It is not clear whether this level should be
discrete or continuous. If discrete values are used, then a qualitative label such as high, medium
or low may be sufficient. Some systems support arithmetic operations on trust recommendations
so numeric quantification is more appropriate. It is also possible to provide a mapping from
qualitative to numeric labels. However, there is still a problem relating to representation of
ignorance (or the unknown) with respect to trust.
Jøsang’s Opinion Model, based on subjective logic, may be a suitable technique for assigning
trust values in the face of uncertainty [31-34]. An opinion is a representation of a belief and is
modelled as a triplet, consisting of: b (a measure of one’s belief), d (a measure of one’s disbelief)
and i (a measure of ignorance); such that b + d + i = 1. It is assumed that b, d and i are
continuous and between 0 and 1 (inclusive). This model’s strength lies in the ability to reason
about the opinions (on a mathematically sound basis) and its consensus, recommendation and
ordering operators [31]. However, its major weakness is that it cannot be guaranteed that users
will accurately assign values appropriately.
From the literature it is clear that there are many different types of trust, which relate to the
specific purposes or nature of a trust relationship. In the following section we provide a
classification of the types of trust.
4 T
RUST
C
LASSIFICATION
We have identified different forms of trust in the literature relating to whether access is being
provided to the trustor’s resources, the trustee is providing a service, trust concerns
authentication or it is being delegated. This is not meant to be an exhaustive taxonomy, but
merely a useful way of classifying the literature relating to trust in internet services.
4.1 Access to a Trustor’s Resources
A trustor trusts a trustee to use resources that he owns or controls, which could be a software
execution environment or an application service [35-37]. Abrams and Joyce [35] highlight the
fact that resource access trust has been the focus for security specialists for many decades,
although the emphasis has mostly been on mechanisms supporting access control.