On URIs and trust

Jonathan A. Rees, with Henry S. Thompson, 21 March 2010

Continuing with ACTION-402, here's a longer summary of the topic Henry and I (Jonathan) wanted to talk about. It's about the trustworthiness of URIs.

We know that there is a trust issue, otherwise we wouldn't have ISSUE-50 outstanding and speculation about new archival DNS domains. Institutions such as journals, libraries, and courts that care about careful reference don't rely on URIs for references. Instead they use a reference consisting of a description (metadata), say author, date, title and publisher, and rely on what one might call a binding convention which relates the reference/description to a document. The 'binding' of such a description to a document is a matter of publicly accessible historical fact - did that author issue the document under that title on that date - and can in principle be verified by checking an appropriate line of evidence, traditionally replicas stored in accessible, administratively independent libraries. (Usually it's not in doubt, and this is related to the objective nature of the binding convention.) Trust follows from verifiability.

Description-based references are not always the only trustworthy ones; you can do this with names (very similar to URIs) as well. The Linnaean naming system has a binding convention to the effect that names are bound by a priority system: the earliest published definition of a name is by universal agreement the correct definition. This is a decentralized, authority-free, trusted system that has worked well for over 250 years. [The use of the Linnaean system has serious problems, but they are not related to the binding rule.]

In both stories, binding and resolution are orthogonal. Resolution is simply any effective system that is faithful to the binding rule. If I'm interesting in resolution, I can go shopping and find a resolution service that I like, and if one gives the wrong answer (unlikely given that liars can be caught), I can switch to another. Again, verifiability induces honesty and thus trust.

The question is, what might be done in the URI space (http: or otherwise) that would lead to the same level of trust. It appears from the available examples that trustworthy mechanisms depend not on organizations holding authority (as with the ICANN/DNS system) but on them relinquishing naming authority to the public according to some objective criterion. The Linnaean example shows this is socially possible, and some requirements for trust are met to varying degrees by various technologically supported systems (e.g. Dataverse, Tahoe-LFS, ARK, LOCKSS). We should also be able to learn from experience with URNs and handles, whose incomplete successes show that the problem probably has aspects that are unrecognized or misunderstood. The problem is obviously difficult (we won't even attempt a bibliography!), but there is much precedent from which we can learn.

See also: Henry S. Thompson and Jonathan Rees. Guidelines for Web-based naming. 15 September 2009.