See also
* "Trustlet Wiki":http://www.trustlet.org/wiki

Potential Ingredients for a trust metric

h2. Reputation

* Web of trust
* Reputation systems
** Akismet, Viking, etc.

* prove_as_human Completing a 
* validate_email

  logged_in
  akismet, etc.
  session duration

h2. Accountability

Does the person tied to this identity stand to lose or gain anything based on this action?


h2. Past history

* past history
** we can revisit past trust decisions based on revised trust estimates
* recency of errors (reduce trust on an application exception)

h2. Commitment

* are_you_sure -- ask for con
* willingness to pay a "hate task" (compute big hash) a la Zed Shaw
* send_me_one_cent a micropayment
** shows commitment
** secondary validation from payment system
** offsets rist

h2. Identity Binding

* Stale sessions
  bq. "If your application allows users to be logged in for long periods of time
  ensure that controls are in place to revalidate a user’s authorization to a
  resource. For example, if Bob has the role of “Top Secret” at 1:00, and at
  2:00 while he is logged in his role is reduced to Secret he should not be able
  to access “Top Secret” data any more." -- http://www.owasp.org/index.php/Guide_to_Authorization

* how I authenticated: for instance, 'logged in by cookie' << 'logged in by password'