[cap-talk] Firefox breaks the principle of identifiability

Tue Feb 8 13:38:44 EST 2005

> Let me step back a minute.  I think there are two worldviews here.
> 
> The crypto-purist's view: Public keys are the only names you 
> can trust. The only way you can be introduced to Coca Cola is 
> to have someone you trust absolutely give you Coca Cola's 
> public key.  When you want to communicate with Coca Cola, you 
> should always specify who you want to communicate with by 
> telling the computer Coca Cola's public key.  As an 
> optimization, you can tell the computer Coca Cola's public 
> key once, and establish a pet name, but that's just an 
> optimization.  As another optimization, we can let the SHA1 
> fingerprint stand in as a substitute for Coca Cola's public 
> key, but that's just another optimization.  If you want to be 
> introduced to Coca Cola through a non-electronic channel, the 
> introducer has to tell you Coca Cola's public key (or its 
> fingerprint) and you have to type it into your computer.  
> Names (i.e., public keys) should only be communicated over 
> the computer.  IP addresses and domain names are useful only 
> for routing.

This is very much the stance for E objects, of course, which can work
effectively in a lot more contexts than they are currently being used :-)
While not a complete world view, it sure would be nice to see how far we can
drive with this model before surrendering :-)

> 
> The realist's view: In the real world, sometimes we learn 
> names over non-digital channels.  For instance, the name 
> "Coca Cola" has a nearly universal binding.  Having your 
> computer insist that the name "Coca Cola" means nothing isn't 
> helpful.  What is the owner of the Coca Cola brand supposed 
> to do?  Print their public key at the bottom of every TV ad 
> they ever make, and hope that everyone who sees the ad will 
> meticulously type in a 40-hex digit string?  Hopeless.  And 
> the idea that people will tell their friends "I drink 
> ee65f5a583fb7b26c753faf610586372409f2ec1"
> instead of "I drink Coke" seems something far short of plausible.
> 
> I have trouble believing that something as extreme as the 
> crypto-purist's worldview is ever going to be workable in the 
> real world -- at least, not as the complete answer.  As much 
> as the security geek in me cringes at the thought of 
> advocating a global root of trust like Verisign, I think 
> there is an argument that something short of the 
> crypto-purist's stance might be required, at least in many 
> cases.

We agree that the crypto-purist worldview is incomplete. However, an entity
like Verisign is neither necessary nor even really helpful. A name like Coke
has meaning, not because it was blessed by Verisign, but rather because a
majority of people mean the same thing when they say it. Algorithms like the
Google algorithms (and the clever algorithms Rick Rashid's folks have
developed for Microsoft) are far better at establishing common views of
terminology than anything like Verisign could ever hope to achieve. These
algorithms are better because they follow the evolution of human meanings.
Though such evolution would understandably give the crypto purist superb
nightmares, humans are designed to deal with it effectively. Also, such
algorithms give us human-like context relationships as well. I recently
needed to find the list of references to the capability pattern we refer to
as a powerbox. Typing "powerbox" into Google gives us a manufacturer of
electrical components. But typing "capability secure powerbox" gives us what
we would expect. In a world built human-style -- which is similar enough to
a world built google-style to be interesting -- it is ok for a second
company that specializes in payroll benefits to call itself paypal. Humans
would distinguish by context.

--marcs