[cap-talk] Firefox breaks the principle of identifiability
David Wagner
daw at cs.berkeley.edu
Tue Feb 8 08:54:22 EST 2005
Jed writes:
>You give them your smart card (or something
>like) and they add a Petname binding to it.
I'm sorry to be such a curmudgeon here, but--
this doesn't sound like a solution I can get terribly excited about.
First, this requires absolute trust in "them".
"them" can add malicious Petname bindings without limit.
So from a security point of view, what this accomplishes is
nothing to jump up and down about.
Second, the useability factors here are lousy.
You mean I can't learn about new sites by word of mouth?
Gee, that sucks.
Maybe this is the best we can do and still remain secure. Could be.
But if so, this is cause for lament that we can't solve people's problems
better (not cause for pride in the elegance of our abstractions).
Sorry to be so negative.
>I see, you got the binding to your bank and not to Paypal directly, but
>that's fine. So far so good. Nothing tedious or insecure so far from my
>perspective. So far you've trusted your bank, but of course you're
>trusting them to some extent with your money in any case.
I don't buy that last statement. If I let my bank create arbitrary
Petname bindings for me, they can spoof not only themselves, but they
can spoof other entity's sites. I trust my bank with my money (under
certain conditions), but I don't have absolute trust in them. You seem
to be saying that your smartcard protocol requires no additional trust
in the bank (over the trust that was already necessary in the absence
of the smartcard), but I don't think that is accurate. I think the
smartcard makes me vulnerable to the bank in new ways that wouldn't
be a risk if I didn't use the smartcard protocol.
More information about the cap-talk
mailing list