[cap-talk] Firefox breaks the principle of identifiability

[Jed at Webstart]

At 07:56 PM 2/7/2005, Mark Miller wrote:
>Ben Laurie wrote:
>>Mark Miller wrote:
>>>Ben Laurie wrote:
>>>>The use case is surely where you see www.xn--paypal-4ve.com first and 
>>>>assign that the pet name "paypal"?
>>>
>>>How did you come to see www.xn--paypal-4ve.com ?
>>It arrived in an email.
>
>Does your email reader render it as a link? If so, and if you haven't 
>already assigned a Pet Name to this URL, then it would generate and render 
>a "proposed Pet Name", such as "unknown-3", or perhaps one based on the 
>site's nickname, such as "paypal-3". In the latter case, you know only 
>that this is one of the sites that wish to be called "paypal". See 
><http://www.erights.org/elib/capability/pnml.html#nicknames>.
>
>Reading the raw text of the URL itself is about as meaningful as looking 
>at the memory address of an object; and user interfaces should show them 
>to us about as often. Of course, this isn't currently practical, because 
>we're starting with a legacy of DNS names, and will co-exist with this 
>legacy for the foreseeable future. But any confusion caused by the text in 
>the URL itself is due to the non-pet-name logic of DNS.
>
>Many people have learned not to believe that any random piece of spam will 
>make their penis bigger. Many have not learned this lesson. Once there's a 
>practical alternative to reading URL strings, we should regard people who 
>believe what a URL itself seems to say as we regard people who fall for 
>spam. Likewise for people who take nicknames (and therefore the proposed 
>pet names generated from them) too seriously.
>
>Yes, all this is a pain, and much less pleasant than what we might wish 
>were possible. But wishing won't repeal Zooko's triangle. I know of no 
>other way to actually solve the problem.

Let me see if I can address the issue that I think is being raised that I 
believe to be independent of the original issue of "Firefox breaks the 
principle of identifiability".

I believe as it seems Mark Miller does that the Petname mechanism solves 
the identifiability confusion issue.  However, what others seem to be 
raising is the problem that still exists of establishing a trust 
relationship with an identity.  Naturally if someone I trust tells me, "Oh 
yeah, you can trust 'Paypal' and uses my "Paypal" Petname I should 
understand that such a recommendation is nonsense.  The choice of the 
Petname was mine, was essentially arbitrary, and can have no meaningful 
relationship with the name "Paypal" that my trusted source refers to - 
except in so far as I establish such a relationship.

So then what can someone I trust tell me that might induce me to trust this 
identity I've established?  They might tell me something about what the 
site can communicate.  For example, they might tell me that if I visit the 
site and view the SSL certificate presented and I find that it's MD5 
Fingerprint is A9:04:4D:...:E2:31:9A  then I can trust that it's "Paypal" 
the organization that I can place some trust in.  They might tell me that 
if I communicate with the IP address 216.113.188.32 then I can trust that 
it's "Paypal" the organization that I can place some trust in, though we 
all know about the problems with IP spoofing.  Ditto DNS and DNS 
spoofing.  They might also tell me that if I view their certificate and I 
see Organization (O) Paypal, Inc., Serial Number 16:CD:58:...:4D:3D:4f 
Issued by Organization (O) VeriSign Trust Network then it's "Paypal" the 
organization that I can place some trust in, though if they did so I would 
stop trusting them :-)

I believe, however, that this issue of establishing a trust relationship 
with an identity is independent of the original "Firefox breaks the 
principle of identifiability" issue that I believe is solved with the 
Petname mechanism.

As Tyler says:

>Defending the integrity of introductions is also important, but it is a 
>separate problem from phishing.

I believe I'm trying to say the same thing.

--Jed http://www.webstart.com/jed/