How it works

A calculator for trust

6d trust is a modernized, generalized version of the Advogato trust metric. It answers one question — given who you already trust, who else should you trust? — and it answers it in a way that's hard to game with fake accounts. It holds no opinion of its own; it only computes.

The graph is made of vouches

Every person is a node. Every vouch is a directed edge: “A certifies B,” at one of three levels — apprentice, journeyer, or master. A vouch is signed by the voucher's key, so it's self-authenticating: anyone can verify it without trusting whoever runs the service. The aggregator is an index, not an authority — it can't forge an edge or silently drop one.

Trust is computed from a root, not a throne

A root is a set of seed identities you take as trusted-by-definition — your worldview's axioms. Trust is computed relative to that root. Pick different seeds and the same graph yields different verdicts: a person can be a master from one root and unrated from another. There is no single global root handing down a universal score — that's the one thing this service deliberately refuses to be.

Why fake accounts can't buy trust

Trust flows out from the seeds like a current. Each node is given a capacity that shrinks with its distance from the seeds, and the flow is solved as a max-flow problem (every node split so that being “accepted” costs one unit of flow). A node is trusted only if the current actually reaches it.

The consequence is the whole point: the number of bogus identities that can sneak into the trusted set is bounded by the capacity of the real edges leading into them — not by how many fakes exist. An attacker can spin up a million accounts; if only one trusted person vouches into that cluster, only a trickle of trust gets through. The bottleneck is the honest edge, and the attacker doesn't control it.

seed ∞20020050one honest edgeany number of fakes
Capacity shrinks with distance from the seed; the cluster of fakes is throttled by the single real edge into it, no matter how large it grows.

Three levels, three passes

The metric runs three times — once over the master-level edges only, once including journeyer, once including apprentice. A node's level is the highest pass at which the current still reaches it. Stricter trust travels a shorter distance; looser trust reaches further. The result is cached as an accept-set per root, so reads (a badge, “is X trusted under root R?”) are instant lookups, recomputed in the background when the graph changes.

Prior art & credit

The attack-resistant trust metric at the heart of this project is not ours — it's Raph Levien's. He designed it for Advogato, the early free-software community site, and developed the theory in “Attack-Resistant Trust Metrics for Public Key Certification” (Levien & Aiken, USENIX Security, 1998) and his later work on attack-resistant trust metrics. The max-flow construction, node capacities that decrease with distance from the seed, and the certification levels are all his. The reference implementation lived in Advogato's mod_virgule.

Our one substantive departure: Levien's seed was a single hard-wired global root. We make the seed set per-viewer — that's the modernization, and the reason this can be a neutral calculator instead of a judge. Everything load-bearing under it is his idea, twenty-five years early.

← Back to the live demo