[cap-talk] Firefox breaks the principle of identifiability

[Jed Donnelley]

At 10:38 PM 2/7/2005, Ben Laurie wrote:
>Jed Donnelley wrote:
>...
>>The one thing I think might be missing is the binding of the Petname to the
>>fingerprint.  Binding it to an IP address or DNS name has known problems.
>>If there was a binding to a fingerprint as above (I don't know, there may 
>>be),
>>would that suffice?  Would you consider that 'practical'?  If not, why not?
>
>Let's say I start with actually visiting my bank, and getting the 
>fingerprint of their cert. I then tediously type that into my machine.

Forget the tedious typing.  You give them your smart card (or something 
like) and they add a Petname binding to it.  You bring it home and plug it 
into your system with your browser running and the binding is uploaded.  Or 
if you have secure access to their Web site you can pull down the binding 
from there.

>Now I can go to the bank's website, and find their trustable link to PayPal.

I see, you got the binding to your bank and not to Paypal directly, but 
that's fine.  So far so good.  Nothing tedious or insecure so far from my 
perspective.  So far you've trusted your bank, but of course you're 
trusting them to some extent with your money in any case.

>So, I go to PayPal and transfer some money from my bank into my PayPal 
>account.

At that point I hope your bank gave you some pretty strong assurances about 
PayPal.  I'm not sure why they wouldn't just let you access your money 
directly from them, but I'll follow along.  So far so good.

>I want to buy something with that money, so I follow PayPal's trustable 
>link to eBay. On eBay, I find Joe Sixpack selling the something, so I 
>follow eBay's trustable link to Joe Sixpack. Joe Sixpack has a friend, 
>Evil Bastard, and a trustable link to him on his website. Now I have a 
>trustable link to Evil Bastard (who Joe Sixpack described as escrow.com) I 
>give my money to Evil Bastard, who promptly disappears, as does Joe Sixpack.
>
>How did this chain of trust help me?

It helped you in that you had some confidence that your money would still 
be available after you transferred it into PayPal.  If it somehow 
disappeared from Paypal other than by your request then you could hold your 
bank responsible - perhaps taking them to court (depending on the 
assurances they gave you).

I don't know what the addition of the Joe Sixpack -> Evil Bastard link adds 
to the mix, or eBay for that matter.  As soon as you start dealing with the 
untrusted Joe Sixpack, you have no assurance whatsoever.  If you want some 
assurance in dealing with an unknown entity like that then you need to use 
an escrow mechanism.  Your bank could set one up for you.  You know them, 
you trust them ;-)  Of course they will charge you something for the escrow 
account.  I haven't yet done a transaction over eBay, but I have done 
Internet transactions that required an escrow account (e.g. selling a DNS 
name).  Seems to me to work fine.

Where do we stand at this point?  You still seem to see problems (tedious 
typing and the inability to communicate trust) that I believe have 
technical solutions.  I accept that solving those problems doesn't solve 
all the world's problems (e.g. dealing with unknown and untrusted entities 
like Joe Sixpack), but I believe such solutions do provide a basis for 
helping with a variety of transactions that are otherwise more 
difficult.  In any case I believe we're way past the issue of Firefox 
breaking the principle of identifiability.  Perhaps you'll have a better 
time in the thread with Tyler Close.  I'm interested to hear him '...get to 
it...".

--Jed http://www.webstart.com/jed/