[cap-talk] Firefox breaks the principle of identifiability
Jed Donnelley
jed at nersc.gov
Tue Feb 8 01:25:02 EST 2005
At 09:37 PM 2/7/2005, Tyler Close wrote:
...
>I want to continue to delay the introduction discussion until we nail down
>the phishing part of the discussion, but I will get to it if you want to.
...
I'm ready to hear it. Perhaps you could just point me to some stuff on
your YURLs. As you can see I was led in another sub thread to trying to
bind a Petname to a certificate fingerprint. I'll be interested to see if
there is something comparable in your proposal, though you seem to object
to cryptographic means. If you refer me to:
http://www.waterken.com/dev/YURL/Definition/
I don't believe I see anything comparable there. It states the
requirements but not how to meet them technically. When you say (in the
above URL):
__________________________________
Site authentication
A YURL MUST provide all the information required to authenticate the target
site. Authentication of the target site MUST ONLY rely on information
contained in the YURL. If any outside information were used for
authentication, the creator of that information would have power to
determine the target of sent messages, violating the y-property. In
particular, any URL scheme that depends on the PKI for authentication, such
as https, is not a YURL.
___________________________________
If my "YURL" was something like:
https://www.paypal.com/:cert-MD5://A9:04:4D:C2:74:5E:05:D9:28:44:E0:8C:53:E2:31:9A
it would seem to be going directly against the idea of your YURL. Tell me
why the above is inadequate.
Tell me what you propose as an alternative.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list