Reputation for OpenID


I'm teaching a graduate class on reputation this semester. I did the same thing last year and the class project was building a reputation framework. The ideas surrounding reputation intrigue me, if you haven't figured that out from reading this blog.

I've had various ideas for this semester's project, but finally settled on the idea of reputation for OpenID. With OpenID gaining steam, there are concerns on user side about how to know whether to trust an OpenID provider. Even if you pick someone with obvious standing, like AOL, how do you know if the site you've been redirected to for authentication is really AOL or some clever phishing attack?

At the same time, relying parties have concerns about whether or not to trust a particular OpenID. Say someone shows up at your site with an OpenID from myopenit.net, should you trust that they've been properly authenticated?

People have proposed white lists and black lists to solve these problems, but I think a better solution is a reputation system that can tell you about OpenIDs. I believe the reputation framework we built last year can be put to this task.

Reputation systems work best when there are multiple users sharing their experience, but the system would be useful even for a single site. I'm concerned about how the system could be gamed (see Wired's article on how this is happening now on Digg, del.icio.us, and other sites, for example). I believe that reputation can serve as a proxy for authorization, in some cases.

There are many unanswered questions, but that's why we do this, after all. I'll post periodic updates on how it's going.