Overview
What it is: A Web of Trust is a an identity management system that provides each user with a single, lifelong digital decentralized identifier (DID). This credential is respected by all the sites in that system because it is verified and scored by trusted peers.
What it does: Webs of Trust take identity-based authentication out of the hands of large institutions and crowdsources it. Ideally this system incorporates the best of community and individuality, allowing us to reach out for help in establishing trust and to retain a tighter grasp over privacy.
Why it matters: Despite a rocky past, this democratized solution has several advantages over those advanced by centralized authorities, including greater portability, control of private data, and protection against a corporate profit motive.
What to do about it: Webs of Trust offer a way for consumers to take control of their identity vis-a-vis corporate entities, at least in principle (these are early days). So, businesses could see them as an element of building trust relationships with customers.
Participant-Driven Security Assessment
As with other security systems, participants in the Web of Trust receive public and private keys to establish their digital identity. As these individuals interact, they digitally score one another’s identity to indicate their level of trust (“unknown”, “untrusted”, “marginally trusted”, or “fully trusted”). The Web of Trust aggregates all ratings and creates a security assessment.
The Web of Trust doesn’t dictate how users behave towards people of varying scores. Users retain this control. For example, someone may accept verification based upon the recommendation of one fully-trusted user or upon the recommendation three marginally trusted ones. This mirrors the real world, where a person would likely trust a stranger on the word of a single personal friend or upon a number of positive reviews from verified users.
Limitations of Web of Trust
The primary obstacles facing the Web of Trust will include populating the reputational network, dealing with logistical problems, and eliminating the entrenched influences that undermine the goals of decentralized self-sovereignty.
Because a Web of Trust requires a critical mass to be effective, its initial challenge is establishing robust, meaningful participation. Some groups have jump started the process by hosting “key signing parties” where groups come out (or log on) to meet and verify local identities.
A second challenge is the rapid consumption of private keys. Solutions include limited key lifespans, tying them to biometrics, or naming trusted third-party decertification agents who can reset the security. A third issue is designating storage areas for encrypted data. Centralized repositories undermine sovereignty; private possession invites tampering; public hosting jeopardizes privacy.
These problems could be solved by combining centralized/private control and requiring two encrypted keys to unlock: a model like safety deposit boxes instead of vaults. Evolving protocols and advancing technologies hold promise to provide additional options on these issues.
Relationship to Blockchain
Webs of Trust are often associated with Blockchain because of their shared philosophy regarding decentralized public control of digital authentication. Fortunately, this tool can be useful in implementing a Web of Trust. Due to its use of distributed ledgers, Blockchain is an inappropriate avenue for storing private keys or personal data, but it may be ideal for sharing public keys and locations of privately-encrypted data.
The WOT Browser Add-On Scandal
WOT Services, LLC. is a Finish company that registered the WOT trademark in 2006 for its browser plugin that provides crowdsourced ratings of websites’ privacy practices. Over 140,000,000 users installed the software. In 2016 an investigation revealed that the company had secretly collected private data about its users browsing habits and sold it to third parties. This severely tarnished the phrase Web of Trust.
Ironically, the behavior of the WOT Services only strengthens the case for implementing an actual Web of Trust.
Further Reading
Rebooting the Web of Trust — Papers and Advance Reading Index. https://decentralized-id.com/literature/rebooting-web-of-trust/