From Knowledge to Trust: A Logical Framework for Pre-trust Computations

. Computational trust is the digital counterpart of the human notion of trust as applied in social systems. Its main purpose is to improve the reliability of interactions in online communities and of knowledge transfer in information management systems. Trust models are typically composed of two parts: a trust computing part and a trust manipulation part. The former serves the purpose of gathering relevant information and then use it to compute initial trust values; the latter takes the initial trust values as granted and manipulates them for specific purposes, like, e.g., aggregation and propagation of trust, which are at the base of a notion of reputation. While trust manipulation is widely studied, very little attention is paid to the trust computing part. In this paper, we propose a formal language with which we can reason about knowledge, trust and their interaction. Specifically, in this setting it is possible to put into direct dependence possessed knowledge with values estimating trust, distrust, and uncertainty, which can then be used to feed any trust manipulation component of computational trust models.


Introduction
Given the growing number of interactions in online communities and of information exchanges in information management systems, it's becoming increasingly important to have security mechanisms that can prevent fraudulent behaviors.However, implementing hard security mechanisms for every possible interaction, e.g.authentication methods or access controls, can be costly and a failure of such mechanisms might put the whole system in jeopardy.For this reason, it is necessary to include other soft security mechanisms in the design of those environments where transactions and exchanges take place [10,19].Trust is one form of soft security that can be implemented into a system: trust is a social control mechanism that brings an undoubtedly positive impact on cooperative operations, both by increasing the chances of performing an interaction and by decreasing the chances of having malevolent behaviors during those interactions [1,18].Therefore, trust has both a proactive and a control effect over interactions.Computational trust is the digital counterpart of trust as applied in ordinary social communities and computational trust models are soft security mechanisms that implement the notion of trust in digital environments to increase the quan-tity and quality of interactions 1 .Computational trust models are typically composed of two parts: a trust computing part and a trust manipulation part.While trust manipulation is widely studied, very little attention is paid to the trust computing part.In this paper, we propose a formal language with which it is possible to reason about how knowledge 2 and trust interact.Specifically, in this setting it is possible to put into direct dependence possessed knowledge with values estimating trust, distrust, and uncertainty, which can then be used to feed the trust manipulation component of any computational trust models.The paper will proceed as follows: in section 2, we discuss the distinction between trust computation and trust manipulation by providing some examples of both components as implemented in computational trust models; in section 3, following on the discussion of section 2, we will show how one well-known model for trust manipulation, i.e.Audun Jøsang's Subjective Logic [11], struggles when dealing with the trust computing component; in section 4, we provide the syntax and semantics of what we will call trust logic.In this logic, we will show how we can talk about the notion of trust and we will then show how the semantical structure in which the logic is interpreted helps in compute trust values that can be fed into Subjective Logic's trust manipulation component; finally, in section 5, we conclude the paper with some general remarks.

Trust Computing and Trust Manipulation
A good formalization of the notion of trust must accomplish two goals.The first goal is that of explaining how trust is generated: while it is possible to take trust as a primitive and unexplained notion, it is often preferable to provide a reduction of the notion of trust to more basic concepts, aiding our comprehension of the phenomenon of trust in various contexts.The second goal is that of explaining the dynamics of trust, i.e. how trust evolves under different circumstances: this should help in determining how dynamics in an environment (e.g. a group of friends or a multinational company) influence trust.To each goal corresponds a different component of trust models.Specifically, it is possible to identify a trust computing and a trust manipulation component.The former serves the purpose of gathering relevant information, which is considered basic, and then use it to compute trust values; the latter takes trust values as granted and manipulates them for specific purposes using different operators.
Even though both components are important, authors often concentrate on one or the other: models that concentrate on the trust computing component rely on the fact that when an environment changes, it is possible to repeatedly compute new trust values, therefore no trust manipulation component is needed; models that concentrate on the trust manipulation component can rely on conceptions of trust that take the concept as a primitive or depend for their initial values on other models, therefore neglecting the trust computing component.To highlight the distinction between trust computing and trust manipulation, we will now provide three examples of trust models and show how each component behaves in those models.To those three models we will then add a fourth one, which will be used as a target for the reflections of the rest of the paper.Note that the models presented were selected for explanatory purposes (i.e. to make clearer the distinction between the two components).No important or specific facts are derived from the models and, therefore, no results of this paper depend on the choices made.

Marsh's Trust Model
In [13], Stephen Marsh presented the first example of a thorough and detailed analysis of the notion of trust in a computational setting.His system was designed for possible implementations in distributed artificial intelligence and multi-agent systems: the main purpose of his thesis was that of using a formal variant of common-sense trust to increase the quality of the evaluation an autonomous agent should perform to decide whether to collaborate or not with other agents.In this model, it is possible to identify three different forms of trust: 1) Basic trust; 2) General trust; 3) Situational trust.
Basic trust represents the general attitude of an agent, when all his experiences in life are considered; general trust is the overall trust a trustor has in a trustee; situational trust is the specific trust a trustor has in a trustee when a specific collaborative task should take place.Basic trust and general trust are taken as primitives, while situational trust is reduced to more basic concepts.
In Marsh's model, the trust computing component is arrived at through a conceptual analysis of the notion of trust, which either classify trust as a primitive notion or helps in identifying the basic elements that form specific versions of trust (i.e.situational trust).We will now briefly explain how situational trust is analyzed, since this form of trust is at the core of Marsh's model.Specifically, situational trust is computed starting from three basic parameters:   (), the amount of utility agent  gains if situation  occurs;   (), the importance of situation  for agent ;   () ̂, the general trusting disposition of agent  towards agent .To obtain the situational trust, those three components are multiplied together.
The trust computing component of Marsh's model is straightforward.Once some basic information is gathered and expressed with numerical values, those values are multiplied to obtain a specific trust value.
What is limited in Marsh's model is the trust manipulation component.This is because the model relies on repeated computations of the trust values, rather than a manipulation of already obtained values.We will show in later sections (section 3) that this is a very severe limiting factor in computational trust models, since it makes it hard to provide evaluations for trust in different scenarios, e.g. when trust is obtained through referrals from one agent to another.

Yu and Singh's Trust Model
In [21], the authors present a formal framework in which to evaluate the reputation of agents based on witnesses.The model also provides tools to avoid deception in rating provision.Yu and Singh's model is based on Dempster-Shafer theory of evidence and favors the trust manipulation component over the trust computing one.The trust computing component is based on past interactions between agents, where an agent  trusts another agent  if the percentage of positive past experiences over the whole number of recent experiences is superior to a given threshold.The trust computing component of this model is extremely simple and is lacking a proper analysis of trust.Moreover, it relies on the fact that the amount of data on past interactions is big, otherwise the values computed might be misleading.This is troublesome, since in digital environments interactions between the same agents are scarce.However, the strength of the model is associated with its trust manipulation component.In this model, it is possible to aggregate together ratings from different agents.Given a trust net, which is a directed graph representing the referral chains produced by an agent 's query about the trustworthiness of another agent ,  might obtain a value of the trustworthiness of  by combining the various ratings given to  by all close acquaintances of  in the trust net.The operation is based on Dempster rule of combination and the result is that of combining as a weighted sum all the trust values of other agents into one for the trustor.

BDI + Repage
In [17], the authors present a sophisticated model for trust and reputation evaluation and propagation.This model has both a simple trust computing and a good trust manipulation component.First, in BDI Rapage, there is a clear distinction between a trust and a reputation evaluation, where the former (called image) is interpreted as the trustor's belief in the trustworthiness of the trustee, while the latter is interpreted as the trustor's meta-belief on the beliefs about the trustee of other agents.The trust computing part is based, like in [21], on past experiences, which can be categorized under five different labels (Very Bad, Bad, Neutral, Good, Very Good).Past experiences influence the weight of each label, providing a specific numerical value for each.Those numerical values are then used to generate an image (what we call trust evaluation) of the trustee for the given trustor.This trust evaluation, coupled with the desires, the beliefs and the intentions of the trustor, leads to the decision of collaborating or not.As in [21], the trust computing component suffers from the requirement of having many past interactions and the real strength of the model lies in its trust manipulation component.For such component, this model includes a full logical language that can help reasoning about trust and reputation.The logical framework is that of a hierarchical multi-sorted first-order language.In such language is easy to express formulas that describe, over and above simple properties of objects, the de-sires, beliefs, intentions and the trust evaluations of a given agent and then, using various logical connectives (e.g.conjunction and disjunction), it is possible to specify different conditions for the presence or absence of trust by the trustor.

Summing Up
We saw three computational trust models and their respective trust computing and trust manipulation components.It has been shown that none of the model can deal perfectly with both components.We will now present a fourth model, which will be the starting point for the reflection made in this paper.This model, i.e.Audun Jøsang's Subjective Logic [11], is extremely well-suited to manipulate trust values using different algebraic operators, but suffers from a poor trust computing component.We will show how the logical language we present in this paper, can be used to implement a good trust computing component in Subjective Logic.

Subjective Logic
We described in section 2 the two main components of computational trust models and provided some examples of the role those two components have in such models.
In this section, we will introduce a further computational trust model, i.e.Audun Jøsang's Subjective Logic.We will explain why we choose this model as the starting point of our work and why we believe the model requires some improvements.
In Subjective Logic trust is represented as the opinion of agent  about a given proposition .An opinion has three major components, and a fourth added component which completes the trust evaluation and helps in computing an expected value for trust.The three major components are, respectively, a belief component, a disbelief component and an uncertainty component3 , while the fourth added component is labelled as base rate and indicates the prior probability associated with the truth of a proposition when no initial relevant information is available.The belief, disbelief and uncertainty components are additive to one, leading to the fact that Subjective Logic is effectively an extension of traditional probability logics.The additivity principle of the three major components allow also for a nice visualization of opinions through a triangle, which we will call the opinion triangle (Fig. 1).It is possible to observe in the figure that an opinion   is identified through the three major components of belief, disbelief and uncertainty and, after the generic opinion is obtained, it is possible to compute the expected trust value (  ) using the base rate (indicated in the figure with the letter a): the base rate determines the slope of the projection of the opinion on the base of the triangle and allows to compute an expected value when no uncertainty is taken into account in the valuation of the opinion.Subjective Logic is a widely employed model to manipulate trust, but is rather illsuited when it comes to compute initial trust values to be used as inputs to the model.The reason is that the only source of information that Subjective Logic allows to compute trust values is reputation scores based on past interactions.Once it is noticed that different agents might evaluate interaction differently and that reputation scores in one context are not easily transferable to other context, the fact that Subjective Logic has no other means to compute initial trust values becomes a big drawback.This is also noted by Jøsang himself: "The major difficulty with applying subjective logic is to find a way to consistently determine opinions to be used as input parameters.People may find the opinion model unfamiliar, and different individuals may produce conflicting opinions when faced with the same evidence."[8].
The aim of this paper is specifically to implement a trust computing component that can produce initial trust values which can then be plugged into Subjective Logic.

A Language for Trust
We will now introduce the syntax and semantics of a formal language that will allow us to reason about knowledge and trust and, furthermore, to provide a trust computing mechanism that can produce values to be fed into Subjective Logic's trust manipulation component.This, we believe, is an improvement to Subjective Logic.The leading idea of the framework comes from an insight given by Jøsang: "…[T]rust ultimately is a personal and subjective phenomenon that is based on various factors or evidence, and that some of those carry more weight than others.Personal experience typically carries more weight than second hand trust referrals or reputation…" [9].The idea is therefore that of using the expressive power of a formal language to describe the information possessed by an agent and then transform this knowledge into an opinion value about a given proposition with all the three major components of Subjective Logic made explicit.

Syntax
In our language ℒ, we start with two sets.The two initial sets are a finite set Ag of agents and a finite set At of atomic propositional constant.Given p  At, i  Ag and b a rational number in the interval [0, 1] (with 0 and 1 included), the grammar for our language is given by the following BNF: All other connectives and operators are defined in the standard way: i) Ki() should be intuitively read as "agent i knows that "; we will call such formulas knowledge formulas.i()b should be intuitively read as "agent i trusts formula  to degree at least b"; we will call such formulas trust formulas.The degree to which an agent can trust goes from 0, complete distrust, to 1, complete trust.

Semantics
The semantics we will provide in this paper is in truth theoretical form and depends on a structure that is a combination of traditional relational structures for modal logics with added components to interpret trust formulas [7,12].We will interpret the above presented language in the following structure M = (S, Cntx, , Ri1, …, Rin, T), where S is a finite set of possible states of the system; Cntx is a finite set of contexts, i.e. scenarios in which to evaluate trust;  is a valuation function over the set At, assigning to each atomic proposition in At a set of possible worlds, i.e. : At →(S) ; Ri, one for each agent i  Ag, is an accessibility relation defined over S, i.e.Ri  SS ; finally, T = ((i, c), (i, c, )) is a trust relevance space which determines, for each formula of the language, which propositional constants are relevant and how relevant they are.T has two distinct components: a qualitative relevance component (i, c) and a quantitative relevance component (i, c, ).
The qualitative relevance component (i, c), one for each couple of elements i  Ag and c  Cntx, takes formulas of the language as arguments and returns as values subsets of At, i.e. (i, c): ℒ → (At); the quantitative relevance component (i, c, ), which is a family of functions, one for each formula of the language and defined over the same couple of i  Ag and c  Cntx of (i, c), assigns to each relevant atomic proposition p member of the subset of At selected by (i, c), a rational number in the range (0, 1], i.e. (i, c, ): (i, c)() → (0, 1] 4 .The weights assigned must be additive to 1. Since the set of agents and the set of contexts are finite, there is a finite number of trust relevance spaces. A possible state s  S represent a way in which the system can be specified; two states differ from one another by what propositions hold in such states.For example, in one state it might hold that it is sunny in San Francisco, while in another state it might hold that it is raining in San Francisco and therefore it is not sunny.If no nonstandard conditions 5 are placed on the description of a system (i.e.proscriptions on propositions that can or can't hold together), there will be exactly 2 |At| states in S, where |At| is the cardinality of the set of propositional constants.
The valuation function  assigns to each proposition  ∈  a set of states; a state is included in the set if, and only if, the proposition holds in the given state.
The accessibility relations Ri connect possible states according to the epistemic status of the agent to whom the accessibility relation is associated.Two states are therefore connected if they are epistemically indistinguishable for the agent (i.e. according to what the agent knows, he can't determine which of two states is the actual one).For example, if an agent only knows the weather of Rome, he can't determine which is the actual state between the state in which it is sunny in San Francisco and the one in which it is raining in San Francisco; therefore, the two states would be connected by an accessibility relation; for the current paper, we are assuming that the accessibility relations are equivalence relations, i.e. reflexive, symmetric and transitive relations.
Finally, the trust relevance space T provides both a qualitative and a quantitative evaluation of the information that will help in determining the exact trust value an agent places in a formula.The qualitative relevance function (i, c), specifies, for an evaluating agent (the trustor) and an evaluation scenario (the context), which information (under the form of propositional constants) is relevant to compute an actual trust value.The relevance weight assigning functions (i, c, ) provide a quantitative assessment of relevance of a given proposition to trust, assigning specific weights to all propositional constants that are selected by applying (i, c) to .The additivity condition on (i, c, ) is in place to guarantee that in the best-case scenario (the one in which all relevant propositional constants do hold in the state and the agent is aware of all of them) there is full trust on the part of the trustor and moreover, it is never possible, in the system, to exceed full trust.
Once the basic components of the model are given, it is possible to extend the functions  and (i, c, ) to consider other formulas over and above the ones on which those functions are defined.This is fundamental to provide proper satisfiability conditions for the language.We will proceed to give the extensions explicitly: we will label the extension of  with  ext and the extension of (i, c, ) with (i, c, ) ext .Intuitively, the function  ext assigns to each formula of the language the set of states in which the formula holds, i.e.  ext : ℒ → (S).Put another way,  ext returns, for each formula of the language, the states that are compatible with the truth of such formula.This means that if an agent knows a given formula (i.e.he/she thinks that the formula is true), he/she will consider possible only the states contained in the set identified by  ext .For now, it is only possible to extend  to negations, conjunctions and knowledge formulas, we will then extend it also to trust formulas.The function  ext is defined recursively as follows: Where S\ ext () is the set-theoretic complement of  ext () with respect to the whole set of possible states S.
The valuation of knowledge formulas should be read intuitively as follows: to check if a given state s is a member of the valuation set of the formula Ki(), take all states t of the system that are accessible from the state s; if all those states t are members of the valuation set of the formula , then the state s is a member of the valuation set of the formula Ki(); repeat the process for every state of the system (since the set of states S is finite, the process will eventually end).Before extending  ext also to trust formulas, we are required to extend the family of functions (i, c, ).To obtain such an extension, we define another family of functions (i, c, ).The (i, c, ), one for each formula  of the language, are defined over the possible states of the system and associate with every state s  S a rational number in the interval [0, 1], i.e. (i, c, ): S → [0, 1].The family (i, c, ) depends on a trust relevance space T and the members of such family sum up all the relevance weights of the propositional constants that hold in the state s taken as argument.This sum represents the upper bound of trust in  for each state.Intuitively, a function (i, c, ) indicates how much trust an agent has in the formula  in each state, if he/she is aware, in the state, of all the relevant information related to that  (i.e.he/she knows what relevant propositions are true in that state).Another way to put it is the following: if an agent knows exactly which is the current state, (i, c, ) indicates the amount of trust he/she has in .Thus, (i, c, ) is an ideal measurement of trust.The function is defined explicitly as follows: Note that since (i, c, ) is additive to 1, we are guaranteed that (i, c, ) itself never exceeds 1.We assume that if the state to which (i, c, ) is applied is not contained in any  ext (p), then (i, c, ) assigns to it the value 0: We can now define (i, c, ) ext for all formulas.Intuitively, the function (i, c, ) ext assigns a trust relevance weight to all formulas of the language, i.e. (i, c, ) ext : ℒ → [0, 1].Note that (i, c, ) ext also depends on all the elements on which (i, c, ) depend.This allows for the possibility of taking  both as parameter and as argument of the func-tion.(i, c, ) ext takes the sum of the relevance weights of all worlds in which a formula holds, i.e. the members of the valuation of the formula, and then divides the result for the cardinality of the valuation of the formula.It is extremely important to understand the behavior of (i, c, ) ext , because this function is the one properly defining trust in our formal language.The explicit definition of (i, c, ) ext is the following: Two remarks must be made about ( 7): first, it should be noted that the (i, c, ) ext of a formula, again, never exceeds 1; furthermore, the reader should note that  ext () is yet to be defined for trust formulas and, therefore, the function (i, c, ) ext is undefined for this typology of formulas.The reason is that, in our language to obtain the valuation of a trust formula, we need to be able to apply the function (i, c, ) ext to knowledge formulas first.This should be expected, since the main intuition behind the language presented in the paper is that trust depends on the knowledge of agents.
To properly define (i, c, ) ext for all formulas, we must return first to the function  ext and see how this function can be fully extended to include in its domain trust formulas.To obtain the valuation  ext for trust formulas, we now present a complete procedure.This procedure indicates what are the step necessary to obtain the set of states in which a given trust formula hold and a by-product of the procedure will be that of understanding how to compute the value of a trust formula in each state.
The procedure has 6 steps: 1.We start with the trust formula i()b that we want to evaluate.We consider the trust relevance space T of the formula .Note that the set (i, c) of any formula will only contain propositional constants and, particularly, it will not contain any occurrence of trust formulas6 .2. Given a state s  S, we take the formulas  s.t.s   ext (Ki()) and  does not contain occurrences of trust formulas (i.e.no subformula of the formula is a trust formula) 7 .3. We take the conjunction of the formulas identified in step 2 and we manipulate it to transform it in the equivalent simplified Conjunctive Normal Form (CNF), i.e. a CNF on which redundant formulas are eliminated and the annihilation and absorption law have been applied 8 .4. We compute the (i, c, ) ext of the formula obtained in step 3.This is a rational number in the range [0, 1].Note that, given our conditions during the procedure, we are guaranteed that (i, c, ) ext is properly defined for such a formula, since there is no occurrence of trust formulas at this point.5. We compare the value obtained in step 4 with the value  that appears in the trust formula we are evaluating.If the value is more than or equal to b, we say that i()b holds in the state s  S and we therefore add it to the set  ext (i()b) 6.We return to step 2 and repeat the process for another state of the system.
Note that, since the set S of states is finite, the procedure will eventually end.When the procedure ends, the result is the valuation set of the formula i()b, i.e.  ext (i()b).Even if not strictly necessary for the evaluation of the formulas of our language, we also complete the extension of function (i, c, ) ext to all formulas by giving the valuation function of trust formulas.
We will now provide truth-theoretical conditions for the satisfiability of a formula.Given a model M, a state s  S, a context c  Cntx and a rational number b in the range [0, 1], the satisfiability conditions are defined as follows: Given the above satisfiability conditions, we define four concepts of validity.A formula is context-valid with respect to a structure if, and only if, it is satisfied by every state of the system, once a specific context is given.A formula is state-valid with respect to a structure if, and only if, it is satisfied in every context, once a specific state is given.A formula is model-valid if, and only if, it is both context-valid and state-valid.A formula is fully-valid if, and only if, it is model-valid for all possible models.This structure is sufficient to be able to reason about knowledge and trust.
The above presented language is sufficient to reason about knowledge and trust and their interrelationship.The language provides a good way to compute pre-trust values and therefore can be employed as a trust-computing component of a computational trust model.We will now show how it is possible to use this language to feed the trust manipulation component of Jøsang's Subjective Logic.

From Knowledge to Trust: Pre-Trust Computations
The aim of our pre-trust computation is to obtain the three distinct components of Subjective Logic's opinions.Such components are respectively, belief, disbelief and uncertainty.We will now show that obtaining those three components is straightforward in our system, once our semantical structure is given.We start by specifying the three opinion components: "agent i believes in proposition p" (symbolically   ()) means that agent i, the trustor, believes, to a given degree, in the truth of proposition p; "agent i disbelieves in proposition p" (symbolically   ()) means that agent i dis-sufficient.We are dealing with a formal version of trust and this makes it necessary that trust is somehow measurable.For this reason, we have the  function, that assigns measures to the relevant information, telling us how much each piece of information is relevant to the trust in a given proposition.Again, this measure is subjective in nature and therefore must depend both on agents and contexts.Once obtained the T structure, we can now compute trust values for ideal situations.This is the role of the  function.What a  function does is to take states and determine the trust value in the formula in such a state, if an agent can determine univocally that that state is the only possible one.To this extent, the value of the  function and that of the  ext function is the same, if the formula to which  ext is applied univocally identifies the state to which  is applied.As we said, though, this is an ideal situation and often, in the real world, agents do not possess enough information to univocally determine a state over the others.For this reason, we introduce the function  ext , which tells us how much trust must be placed into a given formula, when that formula identifies a subset of S. This is the reason  ext depends on the function  ext (i.e. the function that identifies the states compatible with the information carried by a given formula).One possible critique is that we take the average of the ideal trust values of the remaining possible states and this is not justified, since we might want to take the minimum or the maximum value among the ones available.To justify our choices, we rely on the principle of sufficient reason.For the principle of sufficient reason, if an agent has no sufficient reasons for preferring a state to another, he should attribute to each state the same probability.Since we are assuming that agents can't determine which is the actual state among all the ones compatible with his/her information (if he/she could determine the actual state, we would again return to the reflections on ideal settings), he/she has no way of preferring one trust value over the others.Note that this might lead, in some scenarios, to trust a formula in a situation where there shouldn't be trust and distrusting a formula in a situation where there should be trust.We believe that this is not fully problematic, since the traditional concept of trust is open to the same issues and therefore it might be that the problem is inherently connected with trust and not specifically with our formalism.Nonetheless, it is possible to change the computation of  ext to consider optimistic and pessimistic attitudes in the part of the agent.Note, however, that this would only avoid one part of the problem of misplaced trust by enhancing the other part (e.g. an optimistic approach would avoid the possibility of not trusting when trust should be warranted, at the expense of having many more scenarios in which the agent trusts when trust shouldn't be warranted).For those reasons, at least at the theoretical level of this work, we prefer using the average.This exhaust the intuitive description of our formal language.We will now include a concrete example, to show a practical application of our language to a real scenario.

Example
In this section we build a concrete example and show how our formal language (especially the semantical structure) helps in analyzing the example.Assume we have 2 agents (Anne and Bob) and 2 contexts (Fixing_the_car and Preparing_dinner).Imagine we have a third agent, Charlie, Anne's father and a car mechanic.What we are trying to evaluate in this example is the trust Anne and Bob place in the proposition "Charlie will help me".We will call the agents A and B, the contexts with F and P and the proposition "Charlie will help me" with .Imagine the world is completely described by 4 propositional constants: p1: Charlie has a master degree in engineering; p2: Charlie has taken cooking classes; p3: Charlie offers a guarantee when he repairs a car; p4: Charlie is a meticulous person.
We now apply :  We now have all the elements to assess how much trust an agent has in the proposition  in each possible scenario.Let's imagine we want to evaluate the two formulas A()0.5 and B()0.8.We will evaluate the first formula for two contexts in the same state, i.e. the contexts Fixing_the_car and Preparing_dinner in the state s7.We will evaluate the second formula for the same context in two different states, i.e. the context Fixing_the_car in the states s2 and s8.
Let's try to determine first whether (M, s7, F) ⊨ A ()0.5.Given the structure we presented above, it is possible to derive that in every state Anne knows whether or not her father has a master degree in engineering and whether or not he is meticulous.Therefore, she knows those facts also in s7, meaning that s7 is contained both in the set  ext (KA(p1)) and  ext (KA(p4)) 10 .We therefore identified the two propositions p1 and p4.The simplified CNF of the conjunction of those two propositions is just their conjunction p1 p4.We now compute the (A, F, ) ext function of this proposition: This means that (A, F, ) ext (p1 p4)=4/4=1.Therefore, (M, s7, F) ⊨ A ()0.5 holds.This should be expected, because for Anne to trust that Charlie will help in the context of fixing the car the only relevant fact is that Charlie is meticulous.Since she knows in s7 that Charlie is meticulous, she has full trust in the fact that Charlie will help.
When evaluating the   () opinion in the context fixing_the_car and assuming the actual state is s7, we first determine , which is p1 p4.We then compute  ext (p1 p4), which is {s1, s3, s5, s7}.The next step is that of computing the various (A, F, )(s), i.e. (A, F, )(s1)=(A, F, )(s3)=(A, F, )(s5)=(A, F, )(s7)=1.We can finally determine the various components of the opinion   ():   () is equal to 1, i.e. the minimum among the values of the (A, F, )(s);   () is equal to 0, i.e. 1 minus the maximum among the values of the (A, F, )(s);   () is equal to 0, i.e. the maximum minus the minimum.We now give the result for the other three examples we examined, without providing the computations.For the opinion   () in the context preparing_dinner and assuming the actual state is s7:   () is equal to 0.4;   () is equal to 0;   () is equal to 0.6.For the opinion   () in the context fixing_the_car and assuming the actual state is s2:   () is equal to 0.4;   () is equal to 0;   () is equal to 0.6.For the opinion   () in the context fixing_the_car and assuming the actual state is s8:   () is equal to 0;   () is equal to 0.4;   () is equal to 0.6.This last computation exhausts our example.

Conclusion and Future Work
In this paper, we first discussed the distinction between the trust computing component and the trust manipulation component of computational trust models.We then showed that classical computational models are often focused only on one of the two components.Specifically, we showed that Audun Jøsang's Subjective Logic, one of the best-suited models for trust manipulation, is lacking a proper trust computing mechanism.To overcome this downside of Subjective Logic, we proposed a logical language that can be employed to reason about knowledge and trust.Moreover, we showed how to move from our logical language to Subjective Logic.This, we believe, is an improvement for Subjective Logic and, generally, for the understanding of computational trust.In the future, the aim is to provide an actual implementation of the language and the ideas contained in this paper.Moreover, we believe it is possible to provide dynamic version of the language, which can take into consideration flow of information and time-related concerns.A final and interesting research direction is that of comparing the language proposed with others formal structures employed to represent uncertainty.

Fig. 1
Fig. 1 Opinion triangle where all components used to compute trust are represented.