YY

eCommerce Trust via the Proposed W3 Trust Model

Yinan Yang, Lawrie Brown, Ed Lewis

School of Computer Science,

University of New South Wales,

University College, ADFA

{yany97, Lawrie.Brown, e-lewis}@cs.adfa.edu.au

Jan Newmarch

School of Network Computing

Monash University, Melbourne, VIC

Jan.newmarch@infotech.monash.edu.au

Abstract

The major industrially adopted public key trust models are primarily hierarchically structured to form a vertically trusted environment (eg. X.509), whereas most web documents are hypertext linked to form a horizontally referral (or web-linked) environment. By introducing a set of trust attributes in such a heterogeneous environment, transitivity of trust can be implemented. The proposed Trusted W3 Model described in this paper combines a vertically trusted public key infrastructure with a horizontally referral Web classification of trust metadata. The proposed W3 Trust Model provides a mechanism to assess both the trust and the transitivity of trust of web contents.

1. Introduction

Traditional trust relationships between business parties were based on legitimate physical identities (eg. shopfront). This physical manifestation is in contrast to an eCommerce environment on the Internet, where business providers and consumers identify each other by their Web sites, email addresses or some electronic means (eg. a public key, or certificate).

These changes have brought about a new set of electronic threats and risks. Some risks include fraud [NFIC, 1999], misuse of personal data (eg. credit card number), deliberate misinformation (ie. the content of Web documents), Web spoofing (ie. mimic legitimate businesses to unlawfully obtain consumers' credit card numbers), eavesdropping, identity theft [USA, 2001], and repudiation.

These risks represent elements of uncertainty in the eCommerce environment, which can produce devastating results (eg. financial losses). As a result of these risks, there is an increasing awareness among web users of the issue of authenticity: of business partners, service providers and product information.

To limit or better deal with these elements of uncertainty, Trust has been identified as an important concept in eCommerce [Yang, et al, 1999b]. The trustworthiness of a web document is an increasing factor affecting the rate of growth of eCommerce.

From an eCommerce perspective, Trust can be seen as a counterweight to elements of uncertainty. eCommerce Trust can be tentatively defined as: a culturally (ie. Web communities) subjective view and perception (and expectation) of honesty and lawfulness by others [Yang et al., 1999a].

2. Statement of problem

Different Web communities may have different conceptual interpretations and definitions of Trust. However the meaning of Trust in the context of E-Commerce is still very recent, and is evolving along with the Web environment and technologies.

From different perspective, there are some works have looked at the issues of Trust, such as the meaning of Trust [McKnight, 1999], legal aspects of Trust [McCullagh, 1998], IT security industry viewing Trust [VeriSign, 1998], and Web professional viewing Trust [Khare, 1998]. Some Trust related projects include the DSig project [Khare, 1998], and the REFEREE Project [EFEREE Project, 1998] by W3C working groups.

There are several public key infrastructure (PKI) trust models (X.509, PGP, SDSI/SPKI) [Yang et al., 1998] that have been developed, which involve digital signatures and other security services (eg. authentication, authorisation, access-control-list, privacy). The major industrially adopted PKI trust models are primarily hierarchically structured (eg. X.509) to form a vertically trusted environment [Yang, et al., 1999b].

(Figure 1) PKY hierarchical Structure

However, in contrast to the hierarchical PKI trusted environment (Figure1), most web documents are hypertext linked to form a horizontally (or web) referral environment. The nature of web documents requires an additional way to propagate trust from a parent (or root) web document to their signed or unsigned offspring web documents, giving rise to a heterogeneous trust environment on the Internet.

There are a number of methods and metadata models such as Back-propagation [Marchiori, 1998], Dublin Core (DC) [DC, 1998], Meta Content Framework [MCF, 2001], and ICRA [ICRA, 2001].

The back-propagation method [Marchiori, 1998] tries to automatically generate a metadata description, and make it easier to classify web information by "fuzzifying" the metadata attributes. In his mathematical formula, there is a "fading factor" during the back-propagation. However, the "fading factor" has not been specifically identified nor how the "fading factors" relate to the metadatum of web documents. The DSig project uses "digitally signed labels to make authenticateable assertions about standalone documents or about manifests of aggregate objects" [DSig, 1998].

Existing metadata models are targeted to a particular group. For example, Dublin Core is a set of descriptors to describe web publications, the meaning of each descriptor defined from the point of view of library communities. RSACI is used by parents and teachers for filtering the content of information on the Web.

 There is a lack of connection and analysis on the following areas:

how the PKI hierarchically trusted environment will affect trustworthiness of web documents which are structured in a horizontally referral (web-linked) environment;

how transitivity of trust would be dealt with in the heterogeneous Web environment; and there are no classifications for trustworthiness of Web documents.

In other words, there is a lack of coherent assessment of trustworthiness of Web contents within a heterogeneous environment, ie. where there is a combination of a hierarchical PKI trusted environment and a Web referral environment.

3. Proposed Approach

The proposed W3 Trust Model is in an attempt to narrow the gap/disconnection between a PKI environment and Web referral environment. The proposed trust attributes (trust metadata) of W3 Trust Model combines a vertically trusted Public Key Infrastructure (PKI) with a horizontally referral Web environment. We believe that it can provide an adequate trust environment and promote the transitivity of trust within its defined trust domain (ie. Web referral environment with a manageable number of nodes on the Internet).

The following provides general analyses of the heterogeneous environment in which the W3 Trust Model resides, and issues of Transitivity of Trust within the heterogeneous trust web environment.

In contrast to the PKI vertically trusted environment, horizontally referred web documents are the most common in a web environment. The Figure 2 shows that common web referrals are arbitrary and horizontal (ie. web-linked).

(Figure 2) Web-linked documents

Is a certified server (ie. certified machine) sufficient for web users to trust the information and make a purchase on the web? A certified server only proves the authenticity of the server (eg. web server), but does not prove web content information on the server. Also, in most cases, the communications between the server and client machines are not secure until web users agree to give their credit card numbers.

A well-known CA displayed the following information on its web site: "Keep in mind that it is not necessary to make all the pages on your server secure. SSL (Secure Socket Layer) imposes some performance overhead. Therefore, most server software packages allow you to apply SSL selectively to those pages which require encryption (eg. payment pages) while leaving other pages (eg. product information pages) unsecured" [VeriSign, 1998].

It can be said that Trust has been established at the point of purchase once web users accept the trustworthiness of the web information, and are convinced either that there are no risks present or that assurances outweigh the risks.

The certified server and the web information should be considered as separate entities. An authentic server only shows web users that it (eg. the URL of the web server) is truly the server it claims it is. The CA certified the server does not provide a complete guarantee of the web information it contains, ie. the CA of the server has no total control over what web information is put on the server and who has control of the web information in operational aspects. This is particularly true when an organisation does not run its own web server (ie. outsources its web server to another company).

What is the alternative?

A Set of Trust Attributes

Trust information is metadata. Metadata is a simple way of providing information about a web resource, eg. a web document. The main function of the Trust Metadata (ie. a set of Trust Attributes) is to specify information on the trustworthiness of a web document, providing the Trust Attributes (covering different aspects of a web document) have been defined properly, ie. sufficient information has to be extracted from all aspects of a web document in the heterogeneous Web environment.

Trust metadata can be simple or complicated depending on how we would like to define it. "Trust is in the eye of the beholder", ie. different beliefs and cultures may lead to different sets of trust attributes.

In simple terms, to trust a web object (eg. a web document) is similar to developing trust in strangers. We want to know about their past, present, their associates, and the environment they live in by questioning themselves, referees, their families, friends, and people we trust, to see if they know about the strangers. And we hope that we ask all the right questions to each group of people and get complete, accurate answers back, which then can be processed without an error or obstacle.

On the web, the whole process of establishing trust must be done within a few seconds. Otherwise, business providers may find no one wants to do business with them. In addition, if the method of providing Trust Attributes (which form Trust Metadata) is too complicated to implement and too difficult to use, then it will deter its use. Therefore, a simple and friendly method is very important.

What Trust Attributes are needed to gather all the trust information? In principal, Trust Attributes should be able to describe most aspects of a web document and the environment in which web documents reside. The Trust metadata should assist better interpretation of individual trust attributes and provide meaningful information on the trustworthiness of a web document. There is a basic set of attributes, such as signed or unsigned web documents, and signed or unsigned servers (eg. a web server).

Based on the Dublin Core web resource descriptors, we suggest the following Trust Attributes be used in Trusted W3 Model to describe a web document from the Trust perspective [Yang et al., 1999a]. The objective of Trust Attributes is to provide information about not only the contents of a web document, but also ownership, and certification information. Trust Attributes can be categorised into three groups as follows.

a. Web Object Content:

What it is about: Key words, Coverage, Description of sale information, Category, Title, Subject. Information about the web document can be divided into different categories, such as finance, education, entertainment, and news, etc. Some information has more serious consequences if it is misleading than others. And there may be less concern for trustworthiness if no action is required (eg. purchase) after it is read. Trustworthiness may be related to fear of some kinds of risk, such as financial loss, or misused personal information (eg. credit card numbers). So the attributes of Title, Subject, Keywords, Coverage, Description, Category, provide a reasonable description about a web document.
When it is created: Create-Date. Often up-to-date information may be more credible than "old" (obsolete) information. On the other hand, it may also cause concern for someone because frequently changing information may be out of date when read.
Any conditions: rights, eg. license issues, copy rights.

b. Relationship Between the Web Object and its Owner:

Who owns it: publisher, creator, contributor, organisation. If the web document is owned by an organisation rather than a person, it may carry more weight, because approval procedures from the organisation should filter out inaccurate information. Reputable organisations (big or small) may have better filters of known error information.
What kind organisation it belongs to: organisation type, eg. gov, com, edu. In OECD countries, it is reasonable to assume that government departments (at least in Australia) have less intention to publicise misleading information and make a quick sale on the web. They give more weight to legality than some commercial organisations.
Who else it refers to: number of different URLs, ie. Num-Diff-URL. The different URLs may cover more physical locations and have potential risks, such as suspect servers, obsolete information, questionable authoritative information and give rise to questions about whether the referral URLs (eg. organisations and their servers) have similar policies and operational standards across the board.

c. Relationships Between the Web Object and the CA:

Has the current (web) servers been certified: Cert-Site. Although the certified server does not carry the same trust weight as the directly certified web document, it certainly helps to add extra trust weight to the web document.
What type of Certificate: Cert-Type. A number of certificates may result from this attribute. Authors sometimes attach their own personal certificates, the server may have been issued one and a web document may also have one. The task is to give the highest trust weight to the most trusted and most relevant attributes, while not discarding others, but adding the extra trust weight to the total value.
Who is the CA: CA. this attribute should indicate the issuing CA. Perhaps the CA certified web server is different from the CA certified web document. The latter should carry more weight of trust than the previous one, because of its direct relevance to the web information.
Where is the CA: Country, eg. au, cn, br, fr, de. Each country has different legislation regarding recognition of digital signatures. OECD countries may have more uniform legal systems and policies then some other countries. More well defined legislation and defined legal systems may carry more trust weight than those who are not.

These proposed Trust Attributes are tentative. Some refinements will be needed to enhance the Trust metadata of a web document and to reflect any changes of the heterogeneous Web environment. There may be more attributes that could be added to this initial set of trust metadata, eg. a number of different URLs refer to the web document or a number of visitors, which may provide some information about web documents that are trusted by many other web users.

In general, the following conclusions might be drawn:

the shorter the hierarchical certification path, the less trust value might be lost (ie. there are fewer accumulated "fading factors");
the same CA certifying both web documents and the server should have the highest trust value;
a certified web document with a non-certified server probably has higher trust value than a certified server with non-certified web documents (this is a very difficult one to determine, and needs to be tested in the real world);
a certified web document or server has higher trust value than a non-certified web document or server;
some factors have been identified which may affect the trust value of a web document directly or indirectly through Transitivity of Trust.

4. Current state

Based on our proposed W3 Trust Model, the initial implementation has been completed. However, the implementation only provides a basic demonstration of how the W3 Trust Model works in action.

5. Future work

The proposed W3 Trust Model provides a mechanism of the evaluation of trust and transitivity of trust through carefully constructing a trust metadata tree using online service "relevance" assessments, verifying certificate(s) and logically combining the calculated values. There are a number of areas in which the W3 Trust Model will be further developed. These areas include:

Developing further options, such as a "zero-trust" model and "maximum-trust" model to cater for different user requirements.
Continue refining the set of trust attributes of the W3 trust model.
Carrying out a trust evaluation on a larger sample of real online services

The W3 Trust Model does depend on online service providers' Web contents being compliant with a metadata standard. Given wide use of XML in eCommerce environment, the potential benefits of using XML and RDF may be explored for standardising trust metadata.

The proposed Trusted W3 Model provides a coherent, heterogeneous trust Web environment by establishing:

a realistic way of assessing the trustworthiness of Web contents; and
a mechanism to address the Transitivity of Trust in a Web referral environment.

References

[DC, 1998] Dublin Core Metadata initiative, http://dublincore.org/ current version Oct 1998.

[DSig, 1998] W3C DSig Project, "DSig 1.0 Signature Label Specification" http://www.w3.org/TR/1998/PR-DSig-label-19980403/, current version 1998.

[EFEREE Project, 1998] EFEREE Project, http://www.w3.org/PICS/TrustMgt/, current version 12 November 1998.

[ICRA, 2001] Internet Content Rating Association, http://www.rsac.org, current version June 2001.

[Khare, 1998] Roht Khare, "Digital Signature Label Architecture", http://www3.org/Pub/WWW/TR, current version October 1998.

[Marchiori, 1998] Massimo Marchiori, "The limits of Web metadata, and beyond", W3C, MIT Laboratory for Computer Science, 545 Technology Square, Cambridge, MA 02139, USA.

[McCullagh, 1998] A. McCullagh, "E-Commerce: A Matter of Trust", the Proc of the Information Industry Outlook Conference, Canberra, 7 Nov 1998.

[MCF, 2001] Meta Content Framework, http://www.xspace.net/hotsauce/mcf.html, current version June 2001.

[McKnight, 1999] D. Harrison McKnight,

"The meaning of Trust", http://www.misrc.umu.edu/wpaper/wp96-04.html, current version 20 January 1999.

[NFIC, 1999] National Fraud Information Centre (NFIC), "Internet Fraud Statistic Reports", http://www.fraud.org/, current version 2 May 1999.

[USA, 2001] "U.S. government's central website for information about identity theft", http://www.consumer.gov/idtheft/, current version June 2001.

[VeriSign, 1998] VeriSign, "Server ID Centre", URL at http://www.verisign.com/, current version 7 March 1998.

[Yang et al., 1998] Yinan Yang, Lawrie Brown and Jan Newmarch, "Issues of Trust with Public Key Certificates", Published at the AUUG’98 Conference Proc, p77-93, 14-18 Sept 1998.

[Yang et al., 1999a] Yinan Yang, Lawrie Brown, Jan Newmarch, and Ed Lewis, "A trusted W3 Model: Transitivity of Trust in a Heterogeneous Web Environment", the Proc of AusWeb99, June 1999.

[Yang, et al., 1999b] Yinan, Yang, Lawrie Brown and Jan Newmarch, "Tokens of Trust: Different Certificates for Different Trust Models", the Proc of the UniForum NZ99 Conference, April 1999.