trust in XFN social graphs

establishing trust

The problem we're trying to solve is: which web pages are part of somebody's (intrapolated) identity, and which aren't? We can mitigate this problem by introducing a measure of trust on each rel="*" link. Each inbound link from a page to another page, implies a trust from the originating page to the landing page. A reciprocating link reciprocates the trust.

Consider the diagram presented above. The dark blue square in the middle represents your contact page, with outgoing rel="me" links to all your other, light blue pages. The red square represents a malicious page that tries to insert itself into your identity.

The three light blue squares in the upper left corner show, how one backlink from each to the central contact page is sufficient to create a trusted page network, that repels the red attack. One backlink per page is sufficient; the pages do not have to link to all other pages.

A link + backlink (bidirectional link) is the easiest way to establish trust. A closed circle of links (not illustrated here) can also be used to establish a transitive trust relationship. However, consider the light blue squares in the top right corner. These are my pages, however the trust circle is not closed.

social identity warfare

To see why this is relevant, you need to abandon the implicit trust in the central dark blue square. Consider that it's not your own graph you're parsing, but just some nexus of XFN links on the web. Now take a look at the orange square in the bottom right corner. This represents a relationship injection attack of a different kind, with the objective to steal somebody else's reputation to augment your own.

From a trust parsing perspective, there's no difference between the yellow reputation attack, and the not-fully-linked light blue pages in the top right corner. All these are suspect, because they all fail to establish a fully transitive trust circle of links.

parsing trust

How you're handling these cases in your XFN parser is a matter of policy. A naive implementation ignores trust considerations and is open to relationship injection attacks. A slightly more sophisticated parser might count all links as one trust point, and require a level of at least one (or two) trust points for a page to be included into an identity. On first sight, this hardens the network against relationship injection attacks of the red kind (identity degradation).

Ultimately, however, these approaches are insufficient and leave open the yellow kind of attack (reputation stealing). Which, from the point of view of the owner of the yellow page is exactly the same as the red relationship injection. The main difference is that the red page is an isolated page, whereas the yellow page is the beach head of a full network that tries to insinuate itself into your identity network.

fixing the identity concept

Identity, that missing concept in XFN, keeps cropping up. Shouldn't we just say: an identity = a page? That central contact page? And all the other pages are part of this identity only if they're linked from this page as rel="me" and link to the central identity page with rel="me". That would simplify matters a lot. From there, establishing reciprocity in other relations is a piece of cake. Just as long as any page in my network links to any page in yours, and some page in your network links back to some page in mine, we're ok.

trust is your enemy

Implementing trust mechanisms on top of XFN is a hack that does not address the fundamental problem. Without OpenID or another strong identity mechanism, XFN is far too naive and vulnerable to be useful and viable in the long run. It's a wide open hole for spammers as soon as XFN is used more widely.