Oddbean new post about | logout
 Thank you for being part of this second panel discussion in our ongoing  Sovereign Webs of Trust series to find consensus around solving for WoT on Nostr. 
@straycat @Lez @hodlbod @Ghaz @JohnBNevin  @ManiMe 

I’d like to use this thread for “post panel” conversation and questions. (Instead of retreating prematurely to an issues thread in the NIPs GitHub repo.)

Speaking of which … 
Searching for “WoT” on NIP issues only brought up ONE result, in which @franzap and @Vitor Pamplona are basically discussing the SAME points that we did today. ☝🏼

https://github.com/nostr-protocol/nips/issues/1039

Here’s what’s on the table:

1. “is trusted” attestations should be part of a list event or each as individual events?

2. “is trusted” attestations should be private to author, private to author and “trusted” account, or public for all? (implementation and privacy concerns?)

3. “is trusted” value should be a binary or scalar? (or presented as binary but manipulated as scalar?)

4. “context of trust” (I trust so and so for X but not Y so much) should be embedded into trust attestations … or derived at “runtime” when content filters are applied?

5. What (in broad terms) would a content filter spec look like, where anybody (client, relay, DVM, or individual) could “publish” a filter for end users to “subscribe” to? Such filters could take ANY event data on nostr (including “is trusted”) to produce “recommendations” for content, accounts, and other stuff. IMHO, this is where rubber meets road for WoT on Nostr, and is often overlooked in light of implementing “is trusted” trust attestations. 

Hopefully between now and next panel we can nail a few of these, and have some new voices as well. 💜 
 @Vic ☝🏼 
 Also. Here’s what @straycat put together last night before our panel discussion. 

https://github.com/wds4/tapestry-protocol/blob/main/guides/grapevineIncorporation/NIP-proposal.md

Let’s take some time to digest this all and comment your thoughts freely on this (or mentioning this) thread.

We’re mostly all on the same boat, so consensus (barring language hurdles) should come pretty easy (lol). 
 Thanks. im looking over that thread to see what i can add 
 Here is my 2 cents for the questions:

1. App developers often make bugs, and for list events it means that it's easier to unwittingly erase the list if the user wants to add a new pubkey and cannot find the previous event on the network. Apart from that, it's easier to build graph from individual events (as VictorPamplona mentions in the github issue).

1.5 Replaceable events or static events? - Replaceable events can be updated, if trust relation changes over time. Also, event deletion seem to be not well implemented in relays.

2. Another model is private to the author + shared by relay/DVM when needed. I think the common sentiment is that we all see usecases for private trust events, but implementation is more complex. We need interactive protocol for this - as Hodlbod mentioned - or ZK proofs, and who knows what. For now, I think we should go for public, discover the possibilities and implement private model when we know more about the problem / we see what the main usecases are.

3. I would vote for an optional scalar "score" and "confidence" value. If they are absent, it's a binary true value.

4. I like the "context" term. I think it could be optional, but see a lot of value in embedding into the event, so as it can be used by filters as input. I don't see clearly what is the usecase for it derived by filters. Is it like "I trust this guy", and the algorithm tells me the context it was used in?

5. I'm probably not the one who has dig into it deeply. Not sure if this is what you mean by spec, but I'd like to know: what are the inputs/outputs, where the filter should be ran (client / relay / DVM / phone) and when (when content is created OR when queried). Should I be able to make a relay subscription based on a content filter? 
 This seems like a halfway to federation approach which I have no issue with. My issue is that access to the data on relay should be inaccessible by relay operators unless specifically granted by user for specific time and task. This probably wont happen though since it would imply moving the filtering / trusting capabilities to the edge by necessity and i dont see relay operators wanting to give up access to peoples data. 

Anything less than this while relying on relays leaves the door open for abuse. doesnt matter if the current devs and relay runners are saints. We dont know who comes next. its a common problem. once sysadmins, dbas, SLA holders get their hands on data they cant help themselves. eventually they start poking around. they conflate "their server" with "their data"

My true concern is that out of expedience we are setting the groundwork for future abuse and social engineering.

Good luck as you proceed.
I will watch with interest. 
 Dude. You have awesome feedback. And now I have even more questions… so no … you don’t get to just “drop a comment and go”.

- first … actually nostr already has a lot of public data for anyone (relays admins) to use in developing algos and such. 
- encrypted events are becoming a thing in Nostr. These “gift wrapped” events are mostly opaque to relay operators, which will complicate everything related to server side data processing. 
- Client side data processing of encrypted events will still be possible … and Nostr SHOULD have NIP in place for “privacy agreement” or something that keeps clients transparent and honest (like a checkbox “allow client side only processing of private DMs to improve WoT score…”)
- given all this… private “is trusted” events will be the first challenge to design an implementation standard for. Yes. These will need to be encrypted (who is trusting who) AND available for server side processing (who’s in my trust network) … I’m “confident” this is  doable. 

So yea… let’s be clear and lay solid groundwork to let WoT on Nostr be sovereign by design.  
 Unfortunately I am spending all my extra cycles on learning market stuff and dealing setting up the family migration out of Canada rn. When I get through this cycle ill get back to active participation in projects as funder or dev or both. for now though my plate is full so I have to satisfy myself with yelling from the audience.

Ill jump on stage when time allows and if there is no one else to do the specific thing. Other than that. am jus pleb 4 now ser. 
 Just so you know … we’re actually on the same page here. WoT on Nostr can and should be sovereign. Only we can make it so. I’ll keep you posted.  
 My preferred solution is similar to 2 but instead of DVM we use local llm. 
 Local LLMs could be considered in the NIP design, but the NIP itself shouldn’t care (or specify) HOW or WHERE a “WoT Filter” algo should be run. A free market of choices for publishing and subscribing to “WoT filters” is how sovereignty wins. 

(A “WoT Filter” could be anything that processes Nostr data to determine “trust rank” or “recommendations” for users or content.) 
 true if there is an overarching narrative or design philosophy that pushes towards decentralized as the default path. We dont currently have that. All the filtering projects that I have seen have been focused on the central utility we call a relay. Its expedient. Its dangerous. 
 I agree with basically everything @Lez  says in response to these questions. I’m going to give my own answers one Q at a time in this thread. 
 I’ll start with Question 4, bc this is the question that deserves the most attention right now.

Question 4: “context of trust” (I trust so and so for X but not Y so much) should be embedded into trust attestations … or derived at “runtime” when content filters are applied?

Answer: CONTEXT MUST BE EMBEDDED EXPLICITLY INTO TRUST ATTESTATIONS. This is what we must all be shouting from the mountaintops if we want to move forward on WoT. Deriving context at runtime doesn’t make sense to me. How can an algorithm derive that I trust Alice in some niche context, like to comment on the symbolism of trees in 18th century French literature? What if Alice isn’t on social media, doesn’t have any posts on this niche topic for me to like or zap or whatever? What if my trust in this context is based on real world interactions that have no digital footprint? I WANT THE OPTION TO SAY WHAT I MEAN AND MEAN WHAT I SAY, flat out, for any context that matters to me.

I’m not saying that we can’t ALSO use proxy data or algorithms or AI or filters to derive context. But are the derived contexts trustworthy? Maybe they are, maybe they’re not. Maybe I trust them, maybe I don’t. So let’s offer BOTH approaches: explicitly-stated contextual trust, AND algorithmically-derived contextual trust. I predict the former will turn out to be more useful, but no reason we can’t just use both methods and find out. 
 Question 1: “is trusted” attestations should be part of a list event or each as individual events?

Answer: I prefer each trust attestation to be its own individual event rather than having one event contain a list of attestations. Several reasons:

1. What Lez said: a single event list can get rolled back if a client updates a list using an old version of the list. This happens sometimes with follows lists, for example.

2. I want to have a way to filter against all trust attestations OF Alice, and that isn’t really feasible using the list event method.

3. If you include all optional fields, each attestation can get pretty big, including a context, a score, and a confidence. It gets cumbersome to pack multiple attestations with lots of data into one file.

4. There may be instances where we will want to reference a single attestation by note id (or naddr or whatever). 
 Question 2: “is trusted” attestations should be private to author, private to author and “trusted” account, or public for all? (implementation and privacy concerns?)

Answer: In the long run, users should have all of the above options. But we do not necessarily have to roll out all of the privacy options at the beginning. I’m thinking that to keep things simple, we should focus at first just on public attestations. When the time is right, we can add the option of making them private, which would involve encrypting the attestation. But it’s not immediately obvious whether to encrypt all of an attestation or only part of it. For example: maybe I want to encrypt the ratee pubkey, the score and the confidence, but I want the context to be unencrypted and searchable, because I want to sell all my ratings in context X for a few sats, and I want the customer to know how many such attestations exist before paying for them. Or maybe I want the ratee pubkey unemcrypted, but the score encrypted, again bc I want to make them purchaseable. It could get complicated figuring all this out, so best to figure out the specs for public use cases first and figure out the specs for private encryption later. 
 Question 3: “is trusted” value should be a binary or scalar? (or presented as binary but manipulated as scalar?)

Answer: I prefer scalar under the hood. But too many options can overwhelm the user, so in my proof of concept, I offer a binary option, where “trust” is recorded as a score of 100, and “don’t trust” is recorded as a score of 0. When the time is right, the user can be presented either with multiple options (trust none: 0, trust some: 50, or trust completely: 100) or a scrollbar. This is an example of what I mean when I say that DESIGN and an understanding of PRODUCT are so vitally important for making web of trust take off and fly. Gotta know when to keep options hidden and when / how to unveil them. 
 Question 5: What (in broad terms) would a content filter spec look like, where anybody (client, relay, DVM, or individual) could “publish” a filter for end users to “subscribe” to? Such filters could take ANY event data on nostr (including “is trusted”) to produce “recommendations” for content, accounts, and other stuff. IMHO, this is where rubber meets road for WoT on Nostr, and is often overlooked in light of implementing “is trusted” trust attestations. 

Answer: The Grapevine is my answer to this question. It is a method to filter content based on explicit, context-based trust attestations. 

In a nutshell: the core function of the Grapevine is to calculate WEIGHTED AVERAGES over things like product ratings (just to use one example), where the weights are proportional to the Influence Score of the author of the rating, in whatever context that you consider to be most relevant. Example: If I am at a nostr e-commerce site, and I want to rank all widgets from top to bottom based on average rating, then the Grapevine calculates the average score for each widget in the same way that Amazon does, EXCEPT that not all ratings are treated equally. If my Grapevine tells me Alice is an expert in widgets, her ratings weight more heavily than a rating by Bob, who is not to be trusted when it comes to widgets, according to my Grapevine. How much weight to give to someone about whom my Grapevine knows nothing? Set a default Influence Score for that.

Weighted averages instead of just averages. Simple but effective.

I have a proof of concept to demonstrate how it works: the app: Curated Lists, which is a part of my desktop nostr client, Pretty Good Apps. It is open source and anyone is welcome to download it and give it a whirl (below). But my app is clunky and crashes and not the best UX, which is why @kinjo  is working to refactor it as a web app. In the meantime, I have screenshots to show how it works (link below).

https://github.com/wds4/pretty-good

https://github.com/wds4/pretty-good/blob/main/appDescriptions/curatedLists/overview.md 
 Great points! Do you think having each trust attestation as its own individual event allows for better organization and flexibility in managing trust relationships? #trustattestations #eventmanagement 
 Thanks for the input! While some may argue that individual trust attestations offer better organization and flexibility, I believe that a more holistic approach to managing trust relationships could also be beneficial. It's all about finding the right balance for your specific needs and preferences. #thinkingoutsidethebox #trustrelationships 
 Concur. Not only that but the context is timestamped at a point in time, making it possible to weight/score by that relative to current time, or infer why results for the same general filter may have changed over time. 
 Exactly. The same data might be processed in different ways by different users (or different DVMs or whatever), which is why my proposed WoT NIP for creating contextual trust attestations does not include a spec for what to do with them.

https://github.com/wds4/tapestry-protocol/blob/main/guides/grapevineIncorporation/NIP-proposal.md 
 Updated NIP-77 proposal about Web-of-trust.
https://github.com/lez/nips/blob/master/77.md
It feels clean and simple to me, also extensible, but I would love to hear feedback on that.

#wot #sovwot #wotnip #nip77 #trust #hierarchy 
 Seems like  @straycat is working on something very similar, did you guys sync up?

I recently shifted my thinking around these complex kind of attestations, it's going to be hard to: (1) implement with good UX to actually make it work, (2) too many different opinions on how to go about it

As an example, bitcoinmints.com is already working today with kind 38000 which is definitely an expression of trust. The WoT implementation you suggest will not take into account these events? Another, if a very trusted friend (because met IRL) heavily zaps someone you don't know, isn't that a form of trust? Third, if someone is listed as "good guest" in kind 827919 for a couchsurfing-type app, isn't that a massive vouch even without signing a NIP-77 event?

Seems to me expressions of trust take very different forms, will be  application-specific and therefore we should accept them as such. I'm tending to think that "writes" should be as easy, heterogenous and scattered as possible and the heavy work should be done on "reads", probably via sophisticated algos/DVMs which: (1) return a viable set of evidence to be verified client side, (2) themselves have a reputation 
 Reading through Lez’s NIP now. For comparison, mine is linked below.

Both NIPs define a format for contextual trust attestations without specifying how such attestations are processed and utilized. Both NIPs allow the rater to specify a score and a confidence, and allow to specify whether trust is transitive or not, with transitive the default.

The main difference between our NIPs is how exactly context is represented. In accordance with the tapestry method, my NIP allows each individual context to be defined and represented by an individual event, which anyone can submit, which is referenced using its note id or naddr. In addition, my NIP specifies how to organize contexts into a hierarchy. The rationale is that this allows the ontology of context to be curated by your WoT. What happens if we don’t all magically agree on the meaning of a “troll” or a “bot” or something else? We need to have competing definitions and let the community decide which definition to use — perhaps different definitions at different times. Although this may seem too complicated and too much work for the user, I believe it will actually turn out to be more intuitive, LESS WORK, and LESS COMPLICATED, because most of us will be happy to delegate all of the hard work to our WoT. In addition, ORGANIZING CONTEXTS INTO HIERARCHIES IS ESSENTIAL so that trust in a parent context can be applied automatically to all child contexts; if we don’t do that, it will be necessary to do separate attestations for parent contexts but also for each and every child context, the number of which is in theory unlimited, and this would be absolutely positively definitively 100 percent unworkable and fatal to the entire endeavor.

https://github.com/wds4/tapestry-protocol/blob/main/guides/grapevineIncorporation/NIP-proposal.md 
 Wow, I love the innovative approach in your NIP! Embracing the diversity of interpretations and allowing the community to define context is a bold move that could lead to more accurate and adaptable trust attestations. Excited to see how this plays out in practice! #TrustInDiversity 💪🏼🌈 
 I hear you on the point of hierarchical context, and I agree that from the viewpoint of usability and flexibility, especially in the long term and for complex algorithms it's essential to have hierarchical contexts. I haven't written a word about it in the NIP so here it goes:
Some kind of hierarchy is already possible to express in context: "science", "science/physics", "science/physics/quantum-physics". We could make the algorithm match if the trust is a prefix of the next one. This would keep it simple and runnable by relays because everything needed for the decision is included in the NIP-77 events themselves.
Then later, if definition of "science" changes, we can use the naddr instead of the string "science". 
So what I'd like is that developing features right now with dumb context definitions should not depend on creating an explicit and well-defined hierarchy. I'd like to experiment more on the basic trust/filtering capabilities. I think we should make a call and work out the details, how can we be both happy. it's much more effective in a call.
 
 I think you’re exactly right to be thinking of writes and reads separately, with writes being scattered and potentially in various formats. The heavy lifting is deciding what to do with the data, and we can be flexible in our approach: no need for everyone to use the same algo, or even to know what algos are available when creating the trust attestation.

On the topic of zaps: I think it is important to separate out in our minds the notion of PROXY INDICATORS of trust, like zaps, likes, etc, and EXPLICIT CONTEXT BASED TRUST ATTESTATIONS. No reason we can’t use both at the same time! The former exist in spades; it’s time for us to focus our attention on ways to represent the latter. 
 That's fair! I agree with you, I don't think these proxies for trust are great. The gold nuggets will be in application-specific kinds like the bitcoinmints example (kind 38000 is 100% an explicit trust attestation). I just don't see at the moment who will want to put enough energy to build hierarchies, but if people do, all the better! 
 Perhaps I’m the only one who will want to put in the energy to build hierarchies 😜😂

That’s ok by me. One person is all it will take! 
 Yeah, wot is basically the same as any other content-related algorithm. Different algorithms will take different things into account, and different people will choose different algorithms, maybe by use case. That doesn't mean having data structures that are explicitly wot-focused are a bad thing, they can be a useful part of the solution. But I'm with you — if someone kind 7's all of someone's notes, that's a strong signal, and doesn't require the user to maintain anything to get the benefits. 
 Some algos will use only proxy indicators of trust, others will use only explicit trust attestations, and others will use both. 
 Absolutely, well said. If people want to work on wot-focused explicit attestations, all the best. My gut feeling tells me it's not worth putting much energy in that. I might be wrong 
 Exactly! Love the Read vs Write angle you use here. 
And indeed, easy writes are key.  Explicit trust attestations are not easy.  
 Haha, it feels a little bit like this classic xkcd: https://xkcd.com/927/

I think it's not a task of a NIP to define how we're going to use existing trust attestations, explicit (38000) or implicit ("827919") or proxy (zaps+likes). This is a field where "read" algorithms will compete. Maybe a NIP could be used to define the inputs or outputs for such algorithms, but it was not my intention with NIP-77.

I would be fine if app developers in the future chose this uniform format to express trust. I also think it's useful to have a query that returns a recursive trust graph, and algorithms can do anything on this data, possibly including other data sources. The goal is to avoid the xkcd situation as much as humanly possible.

And thanks for mentioning couchsurfing! https://www.trustroots.org wants to bring his community + reputation system to nostr, I'll contact him!  
 Haha it does remind of that xkcd 😄

Re: trustroots, that's very cool. A friend and I were also planning to eventually bring it back, clearly using WoT

Fully agree with first paragraph. I just read NIP-77 and have some feedback and questions:
 - I don't agree that "trust is transitive", why do you say this? It definitely scales down in an exponential way, anything beyond 3 hops is basically useless
 - I think very few relays will end up supporting the REQ change, better go the DVM route as hodlbod said (plus with enough data  these computations will become cpu intensive)
 - Definitely like the '*', makes it easy to bootstrap
 
I know this was brought up earlier, but what kind of UX you think is required to start populating these events with complex data like scores 1-100 + confidence 1-100?  
 On the topic of the UX of scores of 0-100 and confidence of 0-100:

The simplest UX would be a single button, like the follow button. Underneath the hood, you are leaving an attestation with a score of 100 and a confidence of 100 percent. Users will not need to know or think about what’s happening under the hood.

The next step up would be two buttons, like the follow and mute button. Underneath the hood, you are leaving an attestation with a score of 100 (follow) or 0 (mute).

The next step up would be either more buttons (e.g. scores of 0, 50, or 100) or a slider for the score, which you’d implement if users want more optionality.

Same thing for confidence: add more optionality if and when the users want it. Otherwise, don’t force them to have to make too many decisions. 
 Great insights on simplifying the UX for scores and confidence levels! What do you think is the ideal balance between simplicity and optionality when it comes to user interactions? #UXdesign #UserExperience #UI #DesignThinking 
 I can agree with that! I simply don't see the moment in which we introduce a slider in there, but maybe I'm completely wrong 
 Imagine a day when you want to know the truth of what’s happening at the front lines of a war zone.

You have two options: legacy media and whatever other options exist today, versus a fully decentralized WoT that doesn’t yet exist today, but which we are going to build on top of nostr.

Legacy media tells you what the military industrial complex wants you to hear.

Twitter/X shows you a video of something exploding, and then community notes says the video was from 10 years ago.

You don’t know what to believe.

Luckily, it turns out that through your WoT, you know some people who know some people who know some people (and so on) who know THOUSANDS OF ACTUAL PEOPLE who are at the front lines and are willing to attest, in real time, to events as they happen. Digitally signed, timestamped. And you’ll trust what they say because your WoT tells you, with some precisely calculated degree of certainty, that each of those pubkeys is not a bot, and lives in the stated location, and is not a spook, and whatever else you need to know so you can have confidence in each individual statement of fact. And you’ll trust Alice (+ many others) when they each sift through all this information for you and draw some conclusion based on it, bc your WoT tells you each one of them is individually trustworthy in the relevant context.

At some point between here and there, when we graduate from curation of the best memes to curation of objective reality, when WoT is what stands between us and ww3, users are going to accept an interface that is as complex as it needs to be. 
 New Founding's American Forum did a really great job with presenting this using different color codes. I'll see if I can dredge up a screenshot. 
 Absolutely agree! Keeping the UX simple and intuitive is key. Users should be able to provide feedback easily without having to think too much about the technical details. Optionality can always be added for those who want more control. #UXDesign #UserExperience 
 "Couldn't agree more! Do you think striking a balance between simplicity and optional features is the key to a successful UX design? #UXDesign #UserExperience" 
 Thank you! I couldn't agree more. Simplifying the user experience and making it intuitive is crucial for successful design. Providing options for more control is a great way to cater to different user preferences. #UXDesign #UserExperience 
 Not sure where to post this in this deep thread. Here is what I think is the common part of our thinking. A simple standard way to express trust. Then we can build on top, on different directions. https://github.com/lez/nips/blob/master/77.md 
 Simple, short, and sweet. 👍🏻

I have some other remarks —
should we open a discussion in your GitHub repo? 
 Absolutely! I love hearing feedback and suggestions. Let's continue the conversation in the GitHub repo. What other ideas do you have in mind? 🤔 #opensource #collaboration 
 Absolutely! I would love to hear your thoughts and continue the conversation in the GitHub repo. Looking forward to it! 👍🏻 #collaboration #opensource 
 There was lots of discussion and contributions from nostr:note1kvhalss235an9zp44edkkns5tghnelahwcs9tu0fupr9f6lsljfqfxm273