=Paper=
{{Paper
|id=Vol-190/paper-6
|storemode=property
|title=Context-aware Trust Evaluation Functions for Dynamic Reconfigurable Systems
|pdfUrl=https://ceur-ws.org/Vol-190/paper06.pdf
|volume=Vol-190
|authors=Santtu Toivonen,Gabriele Lenzini and Ilkka Uusitalo
|dblpUrl=https://dblp.org/rec/conf/mtw/ToivonenLU06
}}
==Context-aware Trust Evaluation Functions for Dynamic Reconfigurable Systems==
https://ceur-ws.org/Vol-190/paper06.pdf
Context-aware Trust Evaluation Functions
for Dynamic Reconfigurable Systems
Santtu Toivonen Gabriele Lenzini Ilkka Uusitalo
VTT Technical Research Telematica Instituut VTT Technical Research
Centre of Finland P.O.Box 589, 7500 AN Centre of Finland
P.O.Box 1000, FIN-02044 VTT Enschede P.O.Box 1100, FIN-90571 Oulu
Finland The Netherlands Finland
santtu.toivonen@vtt.fi gabriele.lenzini@telin.nl ilkka.uusitalo@vtt.fi
ABSTRACT and its existence justified. The work reported in this paper
We acknowledge the fact that situational details can have delves into that topic.
impact on the trust that a Trustor assigns to some Trustee. At an abstract level, trust formation can be described with
Motivated by that, we discuss and formalize functions for mathematical functions, which take some phenomena as in-
determining context-aware trust. A system implementing put, and provide a level of trustworthiness as an output. We
such functions takes into account the Trustee’s profile real- formalize such functions by putting emphasis especially on
ized by what we call quality attributes. Furthermore, the the context attributes. More specifically, the “traditional”
system is aware of some context attributes characterizing aspects influencing trust formation, for example reputation
additional aspects of the Trustee, of the Trustor, and of the and recommendations, are complemented with contextual
environment around them. These attributes can also have information. In addition, we concretize the functions via
impact on trustor’s trust formation process. The trust func- examples.
tions are concretized with running examples throughout the The rest of the paper is organized as follows. Section 2
paper. summarizes some of the relevant related work. Section 3
introduces the operational framework where trust is evalu-
ated and proposes a distinction between quality attributes
Keywords and context attributes based on the trust scope. Addition-
Context-Awareness, Trust Evaluation Functions, Dynamic ally, Section 3 illustrates the role of context in the trust
Reconfigurable Systems evaluation process. Section 4 presents the details of the
context-aware trust evaluation function. Moreover, it shows
how context information can be used to select, among a set
1. INTRODUCTION of past experiences and a set of recommendations, those that
Context influences the behavior of an agent on multiple are relevant with regard to the current context. Section 5
levels. Generally, context is any information characteriz- exemplifies the use of context in trust evaluation process
ing the situation of an entity. An entity, in turn, can be a through an example. Finally, Section 6 concludes the paper
person, place, or object that is considered relevant to the and Section 7 points out some of our future work.
interaction between a user and an application, including the
user and the application themselves [10]. Context-awareness
has been recognized in many research areas of information 2. RELATED WORK
technology, such as information filtering and retrieval [21], Trust plays a role across many disciplines, including soci-
service provisioning [24, 36] and communication [26, 11]. ology, psychology, economics, political science, history, phi-
Trust is another emerging research subject. Trust is a losophy, and recently also computer science [12]. For ex-
fundamental factor in human relationships enabling collab- ample, Grandison and Sloman discuss properties of varying
oration and cooperation to take place. In Computer Sci- definitions of trust for Internet applications, and present dif-
ence, Trust Management [6] studies how to establish and ferent trust models dealing with them [13]. They also sum-
to maintain trust relationships among distributed software marize some well-known trust management tools, such as
components such as software agents and web services, and PolicyMaker [4], KeyNote [5] and REFEREE [8]. Most of
also between users and software components. Trust manage- these tools are based on the proposal of Blaze et al. [6], who
ment is also a way to enhance security and trustworthiness. first coined the term trust management.
As such it has been applied for example in the domains of Recent approaches to trust management are able to deal
Semantic Web [25], in Global Computing [7], and in Ad Hoc with incomplete knowledge and uncertainty (see for exam-
Networks [22]. ple the surveys reported in [12, 13, 17, 29]). Acknowledging
However, the relationship between context and trust has uncertainty is particularly suitable when applied to a glob-
not received very much attention, apart from some occa- al computing environment. The trust evaluation functions
sional work, such as the ones reported in [28, 33]. This is we study in this paper are part of this global computing
unfortunate, since such relationship can easily be recognized approach to trust management. However, unlike other ap-
proaches, such as those reported in [1, 2, 15, 17, 19, 20],
Copyright is held by the author/owner(s).
WWW2006, May 22–26, 2006, Edinburgh, UK. we do not develop any new algorithms for trust evaluation.
. Instead, we investigate strategies for enriching traditional
�trust evaluation functions with the possibility of analyzing Q
contextual information. quality
attributes
We acknowledge several (trust) relationships when study-
ing the context-dependent trustworthiness of a trustee. The- environment
refore, we suggest a solution for using context data to im-
prove the traditional trust establishment, for example when trustor
asking for the trustee’s reputation. This extends for ex-
trustee
ample the approach reported in [28], in which the trustors
are mainly (human) users of some system, and the contex-
t typically taken into account is the location/proximity of Legend
other users. It also goes beyond [2], where the kind of trust “used by”
recognized as context-dependent only has to do with roles C
of human beings (for example, having a different degree of “describes”
context
attributes
trust to someone acting as a doctor than acting as a car
mechanic).
Inspired by [3], we integrate trust evaluation into a wider Figure 1: Operational view of trust. The Trustor
model where both the relationships and the quality attribut- uses quality attributes and context attributes to de-
es contribute to the evaluation of the composite trustwor- cide to what extent it trusts the Trustee. Quality at-
thiness. Our reputation-based mechanism is intentionally tributes (Q) describe the Trustee’s abilities. Context
left at the level of templates; various specific computational (C) describes surrounding information about the w-
techniques can be plugged in it. Examples are those using hole scenario constituted by the Trustor, Trustee,
semirings [32], linear functions [35], belief combination func- and their environment.
tions over paths in the Semantic Web [27], and reputations
as described in [22, 16].
In [23], the authors develop a framework to facilitate ser- can nevertheless affect the result. For example, depending
vice selection in the semantic grid by considering reputation on the scenario, context may express some relevant proper-
information. In the service interrogation phase, users eval- ty characterizing the Trustor, and its impact on the trust
uate the reputation of particular services with regard to a evaluation may strongly affect the preliminary result that
certain aggregation of qualities (called context in the pa- comes out from the analysis of the quality attributes.
per), to choose a service that meets with their perceptual The division of one set of attributes into quality and con-
requirements. In this paper, context is used to refine the text attributes varies case by case. In this paper, we use
trust evaluation process of the qualities of the trustee. the notion of trust scope [1] to deal with the changes affect-
ing this distinction. For instance, suppose that the scope to
evaluate a network component is to establish its trustworthi-
3. OPERATIONAL SCENARIO OF TRUST ness when it is used in a networked game application. Here,
Figure 1 depicts our operational scenario of trust. Here, the feature of providing encrypted communication is some-
two main actors are involved in the process of trust evalu- thing that can be understood in connection to the context.
ation: Trustor and Trustee (see also [13, 14]). Trustor per- Instead, if the same component is judged for trustworthi-
forms the trustworthiness calculation for a certain purpose, ness when used in a payment application, security features
called a trust scope [1], the object of which is the Trustee. such as encryption are best thought of in connection to the
quality attributes.
Definition 1. Trustor is the entity that calculates the To conclude this section, we introduce one example of
trustworthiness. Trustee is the entity whose trustworthiness context-depended trust scenarios. It will be used later on in
is calculated. Trustworthiness is modeled with a trust val- the paper when some concepts need to be concretized and
ue. Trust value expresses the subjective degree to which the discussed.
Trustor has a justifiable belief that the Trustee will comply
the trust scope. Example 1 (Messaging). 1
Alice receives an SMS with the content “We have just won
To evaluate the Trustee’s trustworthiness for a certain one million euros at the bingo. Cheers Bob”. The Trustor
trust scope, the Trustor analyzes two different kinds of in- is Alice and the Trustee is the message’s content.
put: quality attributes and context attributes. If the trust scope is to determine the creator/sender of the
Quality attributes represent the essential data character- message (for example, “Is that really Bob who cheers me?”),
izing the Trustee. Without quality attributes, a Trustor has quality attributes can be the message header (that includes
no a priori knowledge of the object of trust, and cannot the phone number from where the message originated), and
start any trustworthiness determination on rational basis. perhaps the network which delivered the message. Context
The only possible decisions in this case are to trust blind- attributes can be the location of the sender, the location of
ly, that is, to adopt an optimistic approach, or to distrust, the receiver, the fact that Alice has bought a lottery ticket
which means adopting a pessimistic approach [25]. in the past, the knowledge (say, from local news) that there
Context attributes represent contextual information that has been a winner in the bingo, the reputation of the sender
the Trustor may require in addition to the quality attributes, (“he likes making jokes” versus “he never makes jokes”).
in order to complete the evaluation of the Trustee’s trust- Instead, if the trust scope is to trust the message content as
worthiness. Context attributes may or may not be available authentic (“Did we really win?”), quality attributes are the
at the moment of trustworthiness evaluation. Their absence
1
does not prevent the trustworthiness evaluation process, but A more extensive version of this example appeared in [33].
�message header, the network which delivered the message, attributes are the message headers and the network names.
the fact that Alice has bought a lottery ticket, the reputa- Formally:
tion of the sender. Context attributes can be the location of
the sender, the location of the receiver, the knowledge that I w M(σ) = hheader, networki
there has been a winner in the bingo. Note that this last ΣM (σ) = number×name
attribute has can change significantly Alice’s judgement, but � �
the absence of this piece of information does not disrupt the �h+390586, TrustFonei, �
Quality = h+316453, MalisFonei,
trustworthiness evaluation process. �. . . �
4. CONTEXT-AWARE TRUST The remaining attributes define the context:
EVALUATION
Σ(I−M (σ)) = location×location×string×bool×bool
This section gives a mathematical characterization of the
concepts for quality attributes and context attributes illus- sender location, receiv location, reputation,
trated in Figure 1. Moreover, this section characterizes the
I w I − M(σ) =
� bought ticket, winner inthe news
� �
mathematical structure of a context-aware trust evaluation � hLondon, NY , “hates jokes”, false, truei, �
Context = hNY , Dublin, “likes jokes”, true, truei,
function in terms of relevant data domains. �. . . �
4.1 Quality Attributes and Context Attributes 4.2 Trust Evaluation Function
Let us consider the example scenario of trust described
This section describes the structure for the proposed trust
in Example 1. Let Attributes represent the information
evaluation function, taking into account contextual data.
that is potentially involved in this instance of the scenari-
We also present a partial implementation, although the gen-
o of trust. Attributes contains all the potential message
erality of our functions allows different implementations as
headers (here only phone numbers), network names, local-
well.
ities, and reputation information about the sender of the
message. 4.2.1 Trust Values
Formally, Attributes is a set of typed and structured data
According to Definition 1, trustworthiness is modeled with
over a signature Σ(I) = A1 × . . . × An , where Ak are types
a value, called trust value, which is the final result of a trust-
and I = ha1 , . . . , an i is an array of type names. Ak ’s can be
worthiness evaluation process. A trust value can be used,
atomic or composed, and are not necessarily distinct.
in interaction with a risk analysis, to take a decision in the
Example 2 (Messaging continued). case of uncertainty [18]. In the literature there exist var-
The set of all potential data in our messaging example are ious implementations for trust values. For example in the
described as follows: Subjective logic theory [17, 18, 16] a trust value is a triple
(b, d, u) where b, d, u ∈ [0, 1] and b + d + u = 1; they repre-
sent an opinion in terms of amount of belief, disbelief, and
Σ(I) = number×name×location×location×string×bool×bool
uncertainty, respectively.
header, network, sender location, receiv location, In this paper, we assume a trust value to be a real number
I =
reputation, bought ticket, winner inthe news � in the interval [0, 1]. In this case, a trust value is interpreted
�
Attributes = � as a measure of trust: the values 0 and 1 stand for com-
�h+390586, TrustFone, London, NY , “hates jokes”, false, truei, �
plete distrust and complete trust, respectively. This choice
�.h+316453,
..
MalisFone, NY , Dublin, “likes jokes”, true, truei,
� simplifies the exposition of our strategies for trust evalua-
tion, but we claim that our strategy can be adapted to other
As anticipated in Section 3, within an instance of the s- models for trust values such as that of the Subjective logic.
cenario of trust and in dependence on the trust scope σ,
we can identify two different sets of disjunct sub-tuples in 4.2.2 Basic Trust Evaluation Function
Attributes: This section describes the basic version of our context-
aware trust evaluation function. Later, we show how to
• the set Quality of all quality attributes, defined as the cope with reputation and recommendations, which are gen-
set of data over the signature Σ(M (σ)) , where M (σ) is erally useful capabilities in trust evaluation, context-aware
a sub-tuple of I (written M (σ) v I). or not. The basic function for context-aware trust evalua-
• the set Context of all context attributes, defined as tion is defined by the following function from attributes to
the set of all data whose signature is Σ(I−M (σ)) . Here trust values:
I − M (σ) is the tuple obtained by orderly removing ctrustS,σ : Quality × Context → [0, 1] (1)
the M (σ)’s items from I.
Here S is the Trustor, and σ is the trust scope. In this way
We assume Attributes = Quality × Context, without loss we underline that a trust evaluation function is subjective
of generality. to the trustor (see also [13, 14]) and that it depends on the
trust scope. Moreover, ctrustS,σ is defined over the data set
Example 3 (Messaging continued). Attributes which, as said in Section 4.1, is split into qual-
The division into sub-tuples for quality attributes and con- ity attributes (Quality) and context attributes (Context)
text attributes depends on the trust scope σ. In reference to depending on the trust scope σ.
Example 1, if the trust scope of Alice is to evaluate the trust- We propose the whole trust evaluation process to be di-
worthiness of the message as authentic from Bob, quality vided into two stages:
� • the first stage is any traditional trust determination 1. For any w 6= w0 , incw (v) > v and decw (v) < v, for all
process; v ∈ ]0, 1[, that is, they represent positive and negative
adjustment as expected.
• the second stage analyzes contextual information to
adjust the output of the first stage. 2. incw0 (v) = decw0 (v) = v, that is, weighting w0 has
no impact in the adjustment.
Formally, we propose that the trust function in (1) has the
3. When w > w0 , incw (v) > incw0 (v) and decw (v) <
following shape:
decw0 (v) for all v ∈]0, 1[, that is, the larger the weight-
ctrustS,σ (C, Q) , C ⊗ trustS,σ (Q) ing the more the result of the adjustment.
The first stage is depicted by the function trustS,σ (Q).
Note 2. In items 1. and 3., the exclusion of the points
This function can be one of the existing procedures cop-
v = 0, 1 is due to two main motivations. The first, obvi-
ing with trust evaluation, for example the ones specialized
ous, is that we cannot go beyond [0, 1] when decreasing and
for recommendation-based trust management (see for exam-
increasing. In other words, incw (1) = 1 and decw (0) = 0.
ple [17, 22]). trustS,σ (Q), when given an array of quality
The latter, concerns the possibility of having incw (0) ≥ 0
attributes only, returns a trust value.
and decw (1) ≤ 1; here, because 0 and 1 express complete
The second stage is depicted by the operator ⊗. This
(dogmatic) belief and complete disbelief, we make the restric-
operator iteratively adjusts the trust value provided at the
tion that no change in context can have effect in the trust
first stage by evaluating piece of context in the array C of
evaluation.
context attributes. To construct the “adjusting operator”
⊗ we first define, for each data type name ak , the following Other restrictions over inc and dec may be required (for
entities: example, incw (decw (v)) = decw (incw (v)), the property of
being reciprocally commutative), but here we prefer to de-
• pk : Ak → bool, a predicate that expresses some rele- fine our adjustment functions in the most general way. More
vant properties over values of type Ak (of name ak . specific sub-families of the functions can be introduced case-
by-case.
• wk ∈ Weights, a numerical weighting wk that express-
Although we will provide concrete example of adjustment
es the impact of the context attributes of type name
functions in the following section, a comprehensive study
ak in process of refinement.
over them is beyond the target of this paper and it is left as
future work.
Here, a predicate p will be used to determine whether
Given a trust value v, arrays C = hc1 , . . . , cm i of context
certain context value c has a positive (true) or negative
data, hw1 , . . . , wm i of weights, and hp1 , . . . , pm i of predi-
(false) influence on the trust tuning/adjusting.
cates, the procedure that implements ⊗ consistently with
Set Weights represents the set of possible weightings. We
certain incw (v) and decw (v) functions is described by Al-
assume (Weights, >) to be a totally ordered set, with w0
gorithm 1.
its minimum element. Weightings are used to increase or
decrease the impact of context data during the process of
Algorithm 1 Context Tuning
adjusting. The larger2 the weight, the larger will the tuning
effect be. Note that if the weight is large the adjustment procedure ⊗(C, v)
can be quite significant: this reflects situation in which that for all i ← 1, m do
context data (for example the Trustor’s location) is consid- if pk (ck ) then v ← incwk (v)
ered (by the Trustor) to effect strongly a preliminary trust else v ← decwk (v)
evaluation based on Trustee’s quality attributes only. end if
The minimum w0 , is devoted to represent the “I do not end for
care” weighting, that is, context attributes of weight w0 will return v
not have any impact in the process of refinement. end procedure
In addition we define two functions
inc : Weights → ([0, 1] → [0, 1]) (2) Example 4.
dec : Weights → ([0, 1] → [0, 1]) (3) An instance of our framework can be specified, for example,
by setting Weights any interval [1, N ] of rational number,
for the positive and the negative adjustment of a trust with N a fixed constant. In this case w0 = 1. The following
value v, depending on a certain weight w. family of functions are used to calculate the positive and
negative adjustment for a certain weighting w:
Note 1. Chosen a weighting w ∈ Weights, incw and
decw are the functions of type [0, 1] → [0, 1] that given a decw (v) , vw
√
trust value v return an adjusted (respectively incremented, incw (v) , w
v
decremented with regard to the weighting w) trust value v 0 .
Figure 2 depicts the effect of some example weightings. Note,
Definition 2. inc, and dec are said well behaving defin- that inc and dec are well behaving functions according to
ing functions if in their own domain: Definition 2. Moreover they satisfy the following additional
properties:
2
When talking about Weights, any reference to terms that
involve a concept of ordering must be intended with regard 4. incw (decw (v)) = v and decw (incw (v)) = v, that is,
to the relation >. they are mutually commutative;
� 1
√ Network
y= x
0.8 y = x2
√
y= 3x Wireless Wireline
0.6 y = x3
√
y= 4x
Packet Circuit
0.4 y = x4 Switched Switched
√
y = 3/2 x
0.2 3
y = x2
y=x Bluetooth UMTS GSM
0
0 0.2 0.4 0.6 0.8 1
B1 B2 U G
Figure 2: Chart showing the shape √ of the family of
functions decw (v) = v w (incw (v) = w v resp.) with
weight w ∈ {1; 32 ; 2; 3; 4} inc/dec? inc1.5(v)
inc1.2(v) dec1.1(v)
5. fw (gw0 (v)) = gw0 (fw (v)) where f, g ∈ {inc, dec}, that Figure 3: Concepts in the network ontology.
is, their are order-independent with regard to the con- The upwards cotopy is calculated as the ratio
text data array. between the number of shared nodes from the
source node and the sink node to the root n-
Let now suppose to have a trust value t = 0.7, and to analyze ode, and the total number of nodes from the
the context attributes (c1 ; c2 ) = (2.2; 2.5). The associated source and the sink to the root node. For exam-
weighting are (w1 , w2 ) = (2; 32 ), while the relative predicates ple, in the case of B1 and B2, the numbers are
are p1 (c) = p2 (c) = (c > 2.4). We apply Algorithm 1 to |Bluetooth, P acketSwitched, W ireless, N etwork| = 4 and
calculate (2.2; 2.5) ⊗ 0.7, and we obtain the following trace |B1, B2, Bluetooth, P acketSwitched, W ireless, N etwork| =
of execution: 6 and the semantic distance between the source and
the sink therefore is 64 ≈ 0.67
t0 = decw1 (0.7) = dec2 (0.7)
= (0.7)2 = 0.49
Furthermore, the networks are organized in a network
t00 = incw2 (0.49) = inc 3 (0.49) ontology, as depicted in Figure 3. Say that the current
2
√
3/2
network B1 is a bluetooth network, of which there are no
= 0.49 = 0.56 pre-evaluated trustworthiness values. However, there exist
trustworthiness values of three other networks, which are as
follows:
The analysis of context attributes has changed a trust value
(coming from a first phase) from 0.7 to 0.56. • B2, a bluetooth network which would entail inc1.2 (v),
semantic distance to B1 ≈ 0.67
Additional example functions are briefly discussed in Sec-
tion 7. • U, a UMTS network which would entail inc1.5 (v), se-
mantic distance to B1 ≈ 0.43
4.2.3 Context Ontology
In the presence of a context ontology which connects the • G, a GSM network which would entail dec1.1 (v), se-
mantic distance to B1 = 0.25
context attributes with each other in an appropriate manner,
some reasoning can be made even if assigning the boolean
Considering these networks as equal, that is, without tak-
predicate pk to the context parameter currently under in-
ing into account the semantic distance, would entail tun-
spection is not possible. The flexibility enables utilising con- √
1.2 1.5
text attributes which do not exactly match the query, but ing the trust with v 1.1 ≈ inc1.64 (v). Instead, if the
are “close enough” to it [31, 9]. For example, the QoS prop- semantic distance is incorporated, the calculation goes as
√
1.2∗0.67 1.5∗0.43
erties of a network, over which some software component is follows: v (1.1∗0.25) ≈ inc1.89 (v). In other
downloaded, can be described in such ontology (cf. [34]). words, the trust is increased more, since the kind of network
Suppose that the current network is not pre-evaluated causing the decrement (G) is semantically further away from
with regard to its impact on trustworthiness. However, as the current node, and therefore considered less important.
its neighbors in the ontology are networks which have pre- This example showed how considering the semantic distance
evaluated trustworthiness values. By using these values as can amplify the increment/decrement effect.
well as their “semantic distance” to the current network, Note that in this example ontology the concepts are orga-
the trustworthiness can be estimated. The Object Match nized based on the properties of a network, such as whether
algorithm, outlined in [31], would calculate this semantic the network in question is circuit switched or packet switch-
distance by taking into account the “upwards cotopy”, that ed. Typically, other details concerning the network, for ex-
is, the distance between the currently investigated concept ample its provider, are more important with regard to trust
and a root-concept of the ontology. evaluation than its implementation details. That is why the
�weights assigned for the semantic distance in an ontology As a matter of notation, we indicate with ctrustiS,σ (Q)
such as the one presented in this section should be relatively the evaluation of trust performed at time i ≥ 0:
small. In our approach, the trust related to the the network
provider can be considered in terms of reputation and rec-
ommendations, both of which will be considered later on in ctrustiS,σ (Q) , ctrustS,σ (Q, Cσi )
the paper. The implementation of this function does not change with
respect to the one given in the previous section. We only
4.3 Advanced Trust Evaluation Functions need to bind the evaluation with time i, as follows:
This section shows how context can be used to comple-
ment traditional aspects influencing trust formation. More
specifically, we consider reputation and recommendations. ctrustiS,σ (Q) , C i ⊗ trustiS,σ (Q)
Before we can do that, however, we must address the notion here trustiS,σ (Q) represents the result of a context-indepen-
of time-line, since it is needed for coping with the history- dent trust evaluation function, applied at time i. Note that
dependent nature of these topics. although we have assumed Q to remain constant, trustiS,σ (Q)
may provide different results along the time. For example,
4.3.1 Time Line the recommendations may change in the course of time due
We assume a time line for distinguishing between differen- to the recommenders’ new experiences of dealing with the
t instances where we apply the trust evaluation procedure. trustee.
We can generally assume that Time is the set of natural
numbers, where 0 ∈ Time is the initial time. With the con- 4.3.2 Adding Reputations
cept of time we also implicitly assume that the result of a The next concept we need to consider in trust evaluation
trust evaluation process varies over time. Note that such is reputation [17]. Taking care of the Trustee’s reputation
variation is due to the fact that the input data used by the means that trust evaluation performed at time i > 0 may
trust evaluation function changes over time, while the way be affected by past experiences happened at a previous time
of reasoning about trust does not. In certain scenarios, even j, 0 ≤ j < i. Reputation introduces a history-dependent
the mechanism of reasoning about trust may change in time, dimension in trust evaluation. We formalize the high-level
but dealing with this concept of second order dynamism in definition of ctrustS,σ ( , ) history-dependence by propos-
trust is outside the scope in this paper. ing an updated definition of the trust evaluation function,
which accepts a trust value as an additional parameter in
Observation 1. In this case the use of time is part of the input:
operational semantics we are giving to our trust evaluation
functions. It must not be confused with contextual informa- ctrustS : Quality × Context × [0, 1] → [0, 1]
tion “time” that may be used as an input, that is, as part of We trigger the process of trust evaluation at time i > 0 with
Context. the following function call:
If we assume that the trust evaluation happens at time ctrustiS (Q) , ctrustS (Q, C i , r i )
i, we need to bind the time also with the input that is
where r i is an appropriate reputation value, available at time
used by the evaluation procedure. Then we indicate with
i. Here the term “appropriate” means that when we look for
Attributes i the set of data in the instance of a scenario of
a past experience performed in a context that is compatible
trust at evaluation time i
with the one considered at the present time i [2].
We indicate with Qiσ ∈ Qσ the vector of quality attribut-
We formalize compatibility among two context values c, c0
es that are available for the Trustor at time i. Note that
of type ak , written c ∼ c0 , as the following binary predicate:
Qiσ v Attributesi . We work under the simplified assump-
tion that Q0σ = Qiσ , for all i > 0. This means that the
quality attributes do not change along a time line of trust c ∼ c0 ⇐⇒ pk (c) == pk (c0 ) (4)
evaluation, unless the Trustee itself is changed. In a more 0
general situation the quality attributes may depend on time. Here == means evaluating as the same, that is, c ∼ c if
For example, a curriculum vitae of a person may be updat- and only if the predicate pk ( ) returns the same value when
ed. This assumption allows us to concentrate on contextual applied both to c and c0 .
aspects and problems. However, should there be a need, When dealing with an array of context data, we need to
some of the techniques here restricted to context attributes, calculate their “grade of compatibility”, that is, their close-
can be applied also to quality attributes. We write Cσi ∈ Cσ ness in terms of the compatibility function ∼. To this aim
to indicate the state of context at time i. we propose the following function d( ):
m
Example 5 (Messaging Continued). wk · (ck ∼ c0k )
In reference to Example 1 and in case of trust scope “Is that d(C, C 0 ) , (5)
W
really Bob who cheers me?”) quality attributes and context
�
i=k
attributes at a certain time i are represented by the following
tuples: where W = m k=1 wk . Function (5) measures the weighted
and normalized grade of affinity with regard to the pred-
h+300586, MalisFone, NY , icates we have defined over context type, of two array of
Attributes i = { }
Dublin, “hates jokes”, true, falsei context data.
i
Qσ = {h+390586, MalisFonei} Our selection of a compatible past experience is based
Cσi = {hNY , Dublin, “hates jokes”, true, falsei} on the quest for the experience performed in the past time
�M , such that the grade of compatibility with the present available at time i. Again, to obtain “appropriate” repu-
context C i is maximal. In case there exists more than one tations, we resort to the context data. Reputations can be
past experience with this maximum value, the most recent filtered by considering the context compatibility. Let us as-
one is chosen. Formally, M is such that: sume to have a certain acceptance grade of compatibility we
require in order to consider a reputation to be significant.
• d(C i , C M ) = maxik=1 {d(C i , C k )} Here we can use another set of weights, different from the
0 weights we considered when tuning trust. From the set of
• 6 ∃ M 0 > M such that d(C i , C M ) = d(C i , C M ) recommendations R we prune out those which cannot reach
As a conclusion, we are now able to specify the term r i , the required grade of compatibility.
of “appropriate” reputation at time i, as the trust evalua- Let us assume R = {(ru , Cu )| u ∈ S} to be the set of
tion result of the Trustor S, for scope σ, performed in the recommendations from a set R of recommenders. Each
most recent past where the context has maximum degree of recommendation (r, C) carries the context C it relates to.
compatibility with the present one. Formally: The appropriate set of recommendations we consider in our
trustS,σ is the filtered set Ri = {(r 0 , C 0 ) ∈ R| d(C 0 , C i ) >
T }, where T represents a compatibility threshold decided by
r i = ctrustM
S,σ (C) the Trustor. Note that here we are not interested in coping
where M is calculated as explained above. with the set of recommendations and reputations according
to the trust management practice, because this problem is
4.3.3 Adding Recommendations assumed to be solved by the function trustS,σ we use in the
The final concept we need to consider in trust evaluation first stage of the evaluation.
is recommendation. A recommendation is a kind of commu-
nicated reputation: 5. EXAMPLE
A game application running on a gaming device is com-
Definition 3 (Recommendation [29]). A recommen- posed by a game manager component (GM) and by one
dation is an attempt at communicating a party’s reputation game scenario component (GS). Figure 4 depicts the scenari-
from one community to another. The parties can be for ex- o of a game application composed of these two components.
ample human users, devices, software components, or com- A new game may be composed by downloading new com-
binations of these. ponents. Game managers and game scenarios are available
on the Internet and they are supplied by different software
Despite the intuitive definition given above, there exists
providers on their Web sites.
no consensus on the nature of recommendation. In the liter-
Before downloading and installing a new component, the
ature there are two different complementary trends: either a
game application checks the hardware and software char-
recommendation is or is not a trust value. In the first case,
acteristics of the new game, to evaluate whether the new
a recommendation is the trust value assessed by the rec-
composition is trustworthy enough or not when running on
ommender about the Trustee. This option is, for instance,
the current device. This evaluation can include considering
used by Abdul-Rahman and Hailes [2]. A recommender can
both the quality attributes, and the contextual information
say, for instance, “in my opinion, c is totally trustworthy”
describing the current situation. It might be the case that
without explicitly providing any proof or data supporting
the new component is available by different providers or by
the assessment. In the latter case, a recommendation is any
different mirror sites of one provider. These sites can have
collection of data except a trust value that the recommender
varying context attributes such as the current availability.
possesses about the Trustee. For example, a recommenda-
In addition, the sites can have different versions of the need-
tion can be a log of events describing the recommender’s
ed component(s), which have impact on the interoperability:
experience with the Trustee [30].
For example, the GS Dungeon v103 presupposes GM v112 or
In order to consider the recommendation, the Trustor has
higher, whereas GS Dungeon v102 can manage with GM v070
to share with its recommender at least a common vision of
or higher. Furthermore, the different component version-
trust. This statement is implicitly included in Definition 3,
s can have varying requirements on the device hard- and
where the word “attempt” denotes that the source and tar-
software.
get of a recommendation may be incompatible if they belong
We now further concretize the running example by assign-
to different communities [29].
ing actual values to the context attributes appearing in it.
Note 3. We assume a recommendation to be a trust val- More specifically, we extract two trust scopes (σ1 and σ2 )
ue. for the user/trustor (S). The scopes differ with regard to
context. σ1 has the user on the bus, having access only to
The version of the trust evaluation function that considers a heavily loaded wireless network, and using a small device
also recommendations is as follows: with limited capabilities (both estimated and actual). σ2 ,
ctrustS : Quality × Context × [0, 1] × 2[0,1] → [0, 1] in contrast, has the user at home, having a broadband ac-
cess to the Internet, and using a PC with lots of available
Here 2[0,1] represents the set of recommendations. We trig- memory and CPU time.
ger the process of trust evaluation at time i > 0, with the Furthermore, there are two versions of the Game Scenari-
following function call: o components available. Both versions perform the same
functionalities and are in that sense applicable in both trust
ctrustiS (Q) , ctrustS (Q, C i , r i , Ri )
scopes. However, they differ in respects that can be signif-
where r i is an appropriate reputation value available at time icant in terms of the trust scopes σ1 and σ2 . Suppose that
i, and where Ri is an appropriate set of recommendations Game Scenario component version A is large in size, requires
� provided by
composes ctx
ctx
ctx
ctx
trusts inter-
dependencies
composes ctx
provided by
ctx
Player / Game Game Game
Composition Manager (GM) Scenario (GS) GM Provider GS Provider
Application
trustor trustee trustee trustee trustee trustee
- device profile -? - type / category - type / category - recommendation - recommend.
- user profile - version - version set set
Quality - CPU usage (est.) - CPU usage (est.) - behavior - behavior
Attributes - memory usage - memory usage history history
(estimated) (estimated)
- dependencies - dependencies
- network status - network status - network status - network status - network status - network status
- device status - CPU usage - CPU usage - CPU usage - site availability - site availability
Context - location (player) (actual) (actual) (actual)
Attributes - activity (player) - memory usage - memory usage - memory usage
- ... (actual) (actual) (actual)
Figure 4: Quality attributes and context attributes for a composed game application. For example, in a
certain scenario of trust, the trustee can be the Game Scenario (GS) component, and the quality attributes
and the context attributes as in the bold bounded column.
a lot of memory and CPU time, its provider has a good repu- ∗ Requires a lot of CPU time: dec1.1 (t)
tation based on S’s past experience, and the provider is also ∗ Good reputation: inc1.5 (t)
recommended by a good friend of S. Component version B, ∗ Recommended by a friend: inc1.5 (t)
in turn, is small in size, requires little memory and CPU.
However, its provider is unknown to S and therefore has no – Game Scenario component version B
reputation history nor recommendations available to S. Say ∗ Small in size: inc1.1 (t)
that the initial trust values for the respective components ∗ Requires little memory: inc1.1 (t)
are tA : 0.6 and tB : 0.5 (tA is a little higher, because A’s
∗ Requires little CPU time: inc1.1 (t)
provider is known by S to have a good reputation and is
also recommended to S).
Based on this information, we can calculate the context-
Based on the trust scopes σ1 and σ2 , S’s device can per-
aware trust value. First, for trust scope σ1 and software
form the following context-aware trust calculations to the
version A, we can calculate according to the following steps,
available component versions. In the following we use the
starting from trust value t0 , which is 0.6:
definition of inc and dec given in Example 4:
• Trust scope σ1 t1 = (t0 )2 = 0.62 = 0.36
1.5 1.5
– Game Scenario component version A t2 = (t1 ) = 0.36 = 0.22
1.5 1.5
∗ Large in size: dec2 (t) t3 = (t2 ) = 0.22 = 0.10
∗ Requires a lot of memory: dec1.5 (t) √ √
1.25
t4 = 1.25 t3 = 0.10 = 0.16
∗ Requires a lot of CPU time: dec1.5 (t) √ √
1.25
t5 = 1.25 t4 = 0.16 = 0.23
∗ Good reputation: inc1.25 (t)
∗ Recommended by a friend: inc1.25 (t) So the final value for Game Scenario component A is 0.23.
In the same way, component version B in trust scope σ1
– Game Scenario component version B
receives the value 0.89. In trust scope σ2 , instead, A receives
∗ Small in size: inc2 (t) the value 0.74 and B the value 0.59. In other words, in trust
∗ Requires little memory: inc1.5 (t) scope σ1 the component version B is valued over component
∗ Requires little CPU time: inc1.5 (t) version A, because it better fits the contextual requirements.
In scope σ2 , the valuations for the components are closer to
• Trust scope σ2 each other, but this time the component version A is valued
over B.
– Game Scenario component version A
This example clearly verifies the hypothesis presented ear-
∗ Large in size: dec1.1 (t) lier, namely that the weights assigned to the context at-
∗ Requires a lot of memory: dec1.1 (t) tributes should be quite small. Here the smallest value as-
�signed for w was 1.1 and the largest 2, and still the trust- loaded components.
worthiness values varied between 0.23 and 0.89, therefore
consuming a large portion of the scale [0,1]. 7. FUTURE WORK
Another way to draw a line between trust scopes would
be to consider the game scenario in one scope, and the w- Our future work includes further refining the trust func-
hole composite game in another. This way the following tions, as well as testing them with real applications. We
situations could be extracted: now present some initial ideas for additional examples of
adjusting functions. The first example is an extension of
Trust scope focusing on the game scenario: The game ap- Example 4. We use the same class of functions to define
plication is interested in evaluating the trustworthiness of different increment decrement adjustments. The alternative
a single piece of software representing the new game sce- definitions for the positive and the negative adjustment for
nario. Quality attributes are the names of the component a weighting w ∈ [1, N ] are defined as follows:
and the provider, version of the component, reputation of
the software provider, recommendations from friends on the
provider. Context attributes are the actual size of the com- (v + v w )
decw (v) ,
ponent being downloaded, the current download speed of the 2
√
site from where the software is downloaded, the throughput (v + w v)
incw (v) ,
of the network over which the software is going to be down- 2
loaded, and the also the hardware characteristics of the game inc and dec are well behaving according to Definition 2;
device (its available RAM memory, and the current CPU moreover, they enjoy the same properties 4. and 5. stated
load). in Example 4.
Trust scope focusing on the composite game: The game ap- Another example of families of adjusting functions comes
plication is evaluating the trustworthiness of the composite from considering a beams of functions generated by one sin-
game as a whole. Quality attributes are all the quality at- gle “kind” of curve. In this case the weightings are used as
tributes of the components participating in the composition, amplification/de-amplification factors. For example, if we
as well as their providers’ quality attributes. In addition, the choose Weights = [0, 1] a simple example is given as follows:
estimated average CPU and memory usage of GS and GM
together and the interdependencies between the versions of decw (v) , v+w
the GS and GM components are considered as quality at- incw (v) , v−w
tributes in this example. Context attributes, in turn, are
the actual size and resource (CPU and memory) consump-
tion of the downloaded and composed components, and the restricted on [0, 1]. Figure 5(A) gives a graphical represen-
current hardware characteristics of the game device. tation of them. √
If we choose w ∈ Weights = [0, 2], another family of
functions can be defined as follows:
6. CONCLUSIONS
Situational details can have impact on how trustworthy a v0
√
decw (v) , R π4
trustor considers the trustee. These situational details can 2wv ( 2 − v 0 ) �
0
characterize the trustor, the trustee, and the environment
around them. Inspired by this observation, we described v 0√
incw (v 0 ) , R π4
and formalized functions for context-aware trustworthiness 2(−w)v ( 2 − v 0 ) �
0
evaluation. Such functions take into account the individual
context attributes, and assign them with values influencing restricted on the [0, 1]. Here R π4 is the rotation matrix,
the trustworthiness evaluation process. Depending on the and v 0 is the value corresponding to v in the non-rotated
importance of a given context attribute, determined by what
we call a trust scope, weights can be applied to amplify or
weaken the influence. 1
1
Trustee’s reputation, that is, the trustor’s past observa- 0.9
tions of the trustee, can further impact the trustworthiness 0.8
0.8
evaluation. We apply the notion of context also to the rep- 0.7
utations by emphasizing more the observations that have 0.6
0.6
taken place under similar conditions as where the trustor 0.5
0.4
currently is. Finally, the trustworthiness evaluation can in- 0.4
clude recommendations from others. There are two rela- 0.2
0.3
0.2
tionships between recommendations and context. First, as
0.1
was the case with reputation, the contextual details at the 0
0
0 0.2 0.4 0.6 0.8 1
time when the recommendation was made can be considered 0 0.2 0.4 0.6 0.8 1
and compared with the trustor’s current context. Note that (A) (B)
considering this is not as straightforward as was the case
with reputation, since recommendations come from others, Figure 5: Two beams of functions that can be used
not from the trustor. Secondly, the recommendation content to define dec and inc: (A) the beam of strict lines,
can be context-dependent. parallel to y=x, restricted
√ in [0, 1]; (B) the beam of
We concretized our formalizations with an example con- parabola y = 2ax(x − 2) rotated of anti-clockwise
cerning a game application, which is composed out of down- π/4 and restricted to [0, 1].
�coordinated system. Figure 5 (B) shows the graphic of these 2003, Brisbane, Australia, pages 54–59. IEEE
functions. Computer Society, 2003.
We envisage that working with running examples helps us [8] Y.-H. Chu. REFEREE:trust management for web
to extract the truly relevant context attributes, as well as applications. Technical report, AT&T Research Lab,
give us guidelines on the weights to be assigned to them. In 1997.
addition, visualizing the trustworthiness evaluation from the [9] O. Corby, R. Dieng-Kuntz, C. Faron-Zucker, and
end user’s perspective should receive some attention. The F. Gandon. Searching the Semantic Web:
user should be aware of the characteristics and interrelations Approximate Query Processing Based on Ontologies.
of the factors which compose the trustworthiness. IEEE Intelligent Systems, 21(1):20–27, 2006.
[10] A. K. Dey, D. Salber, and G. Abowd. A Conceptual
8. ACKNOWLEDGEMENTS Framework and a Toolkit for Supporting the Rapid
The authors have been supported by the European ITEA Prototyping of Context-Aware Applications.
project Trust4All. The authors would like to thank the Human-Computer Interaction (HCI) Journal,
anonymous reviewers for their useful suggestions that brought 16((2-4)):97–166, 2001.
to an improvement of the paper. S. Toivonen thanks H. He- [11] F. Espinoza et al. GeoNotes: Social and Navigational
lin for his comments on the context ontology. G. Lenzini Aspects of Location-Based Information Systems. In
thanks A. Tokmakoff for his comments on the whole paper, Proceedings of the International Conference on
and I. De la Fuente for her hints on alternative functions. Ubiquitous Computing (Ubicomp 2001), pages 2–17.
Springer, September/October 2001.
9. REFERENCES [12] J. A. Golbeck. Computing and Applying Trust in
Web-based Social Networks. PhD thesis, University of
[1] A. Abdul-Rahman and S. Hailes. A distributed trust
Maryland, Computer Science Department, April 2005.
model. In Proc. of the 1997 New Security Paradigms
Workshop, Cumbria, UK, 23-26 September 1997, [13] T. Grandison and M. Sloman. A survey of trust in
pages 48–60. ACM and Univ. of Newcastle, ACM internet applications. IEEE Communications and
Association for Computing Machinery, 1997. Survey, Forth Quarter, 3(4):2–16, 2000.
[2] A. Abdul-Rahman and S. Hailes. Supporting trust in [14] T. Grandison and M. Sloman. Specifying and
virtual communities. In I. C. Society, editor, Proc. of analysing trust for internet applications. In J. L.
the 334rd Hawaii International Conference on System Monteiro, P. M. C. Swatman, and L. V. Tavares,
Sciences (HICSS33), (CD/ROM), Maui, Hawaii, 4-7 editors, Towards The Knowledge Society: eCommerce,
January 2000, volume 6 of HICSS Digital Library, eBusiness, and eGovernment, Proc. of the 2nd IFIP
pages 1–9. IEEE Computer Society, 2000. Conference on E-Commerce, E-Business (I3E 2002),
[3] R. Ashri, S. D. Ramchurn, J. Sabater, M. Luck, and October 7-9, 2002, Lisbon, Portugal, volume 233 of
N. R. Jennings. Trust evaluation through relationship IFIP Conference Proceedings, pages 145–157. Kluwer,
2002.
analysis. In F. Dignum, V. Dignum, S. Koenig,
S. Kraus, M. P. Singh, and M. Wooldridge, editors, [15] A. Jøsang. A logic for uncertain probabilities.
Proc. of the 4rd International Joint Conference on International Journal of Uncertainty, Fuzziness and
Autonomous Agents and Multiagent Systems (AAMAS Knowledge-Based Systems, 9(3):279–312, June 2001.
2005), July 25-29, 2005, Utrecht, The Netherlands, [16] A. Jøsang, L. Gray, and M. Kinateder. Simplification
pages 1005–1011. ACM, 2005. and analysis of transitive trust networks. Web
[4] M. Blaze, J. Feigenbaum, J. Ioannidis, and A. G. Intelligence and Agent Systems Journal, 2006. (to
Keromytis. The role of trust management in appear).
distributed systems security. In J. Vitek and [17] A. Jøsang, R. Ismail, and C. Boyd. A survey of trust
C. Jensen, editors, Secure Internet Programming: and reputation systems for online service provision.
Issues in Distributed and Mobile Object Systems, Decision Support Systems, 2005. (available on line on
State-of-the-Art, pages 185–210. Springer-Verlag, ScienceDirect) in press.
1999. [18] A. Jøsang and S. L. Presti. Analysing the relationship
[5] M. Blaze, J. Feigenbaum, and A. D. Keromytis. between risk and trust. In C. Jensen, S. Poslad, and
Keynote: Trust management for public-key T. Dimitrakos, editors, Proc. of the 2nd International
infrastructures (position paper). In B. Christianson, Conference on Trust Management (iTrust 2004),
B.Crispo, W. S. Harbison, and M. Roe, editors, Proc. Oxford, UK, 29 March - 1 April, 2004, volume 2995 of
of the 6th International Security Protocols Workshop, LNCS, pages 135–145. Springer-Verlag, 2004.
Cambridge, UK, April 15-17, 1998, volume 1550 of [19] K. Krukow, M. Nielsen, and V. Sassone. A framework
LNCS, pages 59–63. Springer-Verlag, 1999. for concrete reputation-systems. Technical Report
[6] M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized RS-05-23, Univ. of Aarhus, Denmark, June 2005.
trust management. In Proc. of the 1996 IEEE [20] K. Krukow, M. Nielsen, and V. Sassone. A framework
Symposium on Security and Privicay, Oakland, CA, for concrete reputation-systems with applications to
USA, 6-8 May 1996, pages 164–173. IEEE Computer history-based access control (extended abstract). In
Society, 1996. Proc. of the 12th ACM Conference on Computer and
[7] M. Carbone, M. Nielsen, and V. Sassone. A formal Communications Security (CCS’05), USA, 7-11
model for trust in dynamic networks. In Proc. of the November 2005. ACM Association for Computing
1st International Conference on Software Engineering Machinery, 2005.
and Formal Methods (SEFM 2003), 22-27 September [21] B. Larsen, editor. Proceedings of the ACM SIGIR
� 2005 Workshop on Information Retrieval in Context on Wireless Security, Philadelphia, PA, USA, October
(IRiX), Copenhagen, Denmark, Aug. 2005. 1, 2004, pages 1–10. ACM, 2004.
Department of Information Studies, Royal School of [33] S. Toivonen and G. Denker. The impact of context on
Library and Information Science. the trustworthiness of communication: An ontological
[22] J. Liu and V. Issarny. Enhanced reputation approach. In J. Golbeck, P. A. Bonatti, W. Nejdl,
mechanism for mobile ad hoc networks. In C. Jensen, D. Olmedilla, and M. Winslett, editors, Proc. of the
S. Poslad, and T. Dimitrakos, editors, Proc. of the 2nd Workshop on Trust, Security, and Reputation on the
International Conference on Trust Management Semantic Web – hels as part of International
(iTrust 2004), Oxford, UK, 29 March - 1 April, 2004, Semantic Web Conference (ISWC 2004) , Hiroshima,
volume 2995 of LNCS, pages 48–62. Springer-Verlag, Japan, November 7, 2004, volume 127 of CEUR
2004. Workshop Proceedings. CEUR-WS.org, 2004.
[23] S. Majithia, A. S. Ali, O. F. Rana, and D. W. Walker. [34] S. Toivonen, H. Helin, M. Laukkanen, and
Reputation-based semantic service discovery. In Proc. T. Pitkäranta. Context-sensitive conversation patterns
of the 13th IEEE International Workshop on Enabling for agents in wireless environments. In S. K.
Technologies: Infrastructure for Collaborative Mostéfaoui, Z. Maamar, and O. Rana, editors,
Enterprises (WET ICE’04). IEEE Computer Society, Proceedings of the 1st International Workshop on
2004. Ubiquitous Computing, IWUC 2004, In conjunction
[24] S. Mostefaoui and B. Hirsbrunner. Context aware with ICEIS 2004, Porto, Portugal, April 2004, pages
service provisioning. In Proceedings of the IEEE/ACS 11–17. INSTICC Press, Apr. 2004.
International Conference on Pervasive Services (ICPS [35] Z. Yan, P. Zhang, and T. Virtanen. Trust evaluation
2004), pages 71–80. IEEE, July 2004. based security solution in ad hoc networks. In Proc. of
[25] K. O’Hara, H. Alani, Y. Kalfoglou, and N. Shadbolt. the Nordic Workshop on Secure IT Systems
Trust strategies for the semantic web. In J. Golbeck, (NORDSEC 2003), Gjövik, Norway, 15-17 October
P. A. Bonatti, W. Nejdl, D. Olmedilla, and 2003, 2003.
M. Winslett, editors, Proc. of the Workshop on Trust, [36] K. Yang and A. Galis. Policy-driven mobile agents for
Security, and Reputation on the Semantic Web – hels context-aware service in next generation networks. In
as part of International Semantic Web Conference E. Horlait, T. Magedanz, and R. Glitho, editors,
(ISWC 2004) , Hiroshima, Japan, November 7, 2004, Mobile Agents For Telecommunication Applications,
volume 127 of CEUR Workshop Proceedings. 5th International Workshop (Mata 2003), volume 2881
CEUR-WS.org, 2004. of Lecture Notes In Computer Science, pages 111–120,
[26] J. Pascoe. The stick-e note architecture: extending the Marrakesh, Morocco, Oct. 2003. Springer.
interface beyond the user. In In Proceedings of the
1997 International Conference on Intelligent User
Interfaces, pages 261–264. ACM Press, 1997.
[27] M. Richardson, R. Agrawal, and P. Domingos. Trust
management for the semantic web. In D. Fensel, K. P.
Sycara, and J. Mylopoulos, editors, Proc. of the
International Semantic Web Conference (ISWC 2003),
Sanibel Island, FL, USA, 20-23 October 2003, volume
2870 of LNCS, pages 351–368. Springer-Verlag, 2003.
[28] P. Robinson and M. Beigl. Trust context spaces: An
infrastructure for pervasive security in context-aware
environments. In D. Hutter et al., editors, Security in
Pervasive Computing, First International Conference,
Boppard, Germany, March 12-14, 2003, Revised
Papers, volume 2802 of Lecture Notes in Computer
Science, pages 157–172. Springer, 2004.
[29] S. Ruohomaa and L. Kutvonen. Trust management
survey. In Proceedings of the iTrust 3rd International
Conference on Trust Management, 23–26, May, 2005,
Rocquencourt, France, volume 3477 of LNCS, pages
77–92. Springer-Verlag, May 2005.
[30] V. Shmatikov and C. Talcott. Reputation-based trust
management. Journal of Computer Security,
13(1):167–190, 2005.
[31] N. Stojanovic et al. Seal: a framework for developing
semantic portals. In K-CAP 2001: Proceedings of the
international conference on Knowledge capture, pages
155–162, New York, NY, 2001. ACM Press.
[32] G. Theodorakopoulos and J. S. Baras. Trust
evaluation in ad-hoc networks. In M. Jakobsson and
A. Perrig, editors, Proc. of the 2004 ACM Workshop
�