[cap-talk] Firefox breaks the principle of identifiability

David Wagner daw at cs.berkeley.edu
Tue Feb 8 13:41:01 EST 2005 

Marc Stiegler:
>Looks like, by signing up with this paypal, I will be on a
>system that allows me to exchange bucks with both alice and Bob.

I'm new to all this, so maybe I'm thinking about things the wrong way,
but my first impression is that your conclusion above looks like a bit
of a leap.  It looks to me like it is succumbing to two fallacies about
reasoning about trust: 1) "transitive trust"; 2) the difference between
"I trust X" vs "I trust X for purpose P".

You assumed that if Alice trusts Goggle as a useful general-purpose search
engine and if I trust Alice to introduce me to useful general-purpose
search engines, then Goggle can be trusted to introduce me to trustworthy
payment systems.  But that is questionable.  With longer and longer
chains, it becomes more and more questionable.

Also, you assumed that if Alice introduces me to Goggle as a useful
general-purpose search engine, then she would also be willing to claim
that the first search result for the search query "Paypal" is trustworthy
for purposes of handling your money.  But maybe Alice only intended
to assert that Goggle is adequate for the former purpose but not for
the latter.

I'm not convinced it is as easy as all this.  This strikes me as a
problem that might be unavoidably hard.  What seems to make it hard is
that it involves humans.  We're trying to solve a people problem with an
(admittedly elegant) mathematical technique.  That strategy worries me,
because technical "solutions" to social problems often don't work nearly
as well as one might wish.  The human is embedded in the protocol,
and we're trying to prevent social engineering attacks on the human,
which means that we have to anticipate all the ways that humans might
be fooled into coming to the wrong conclusions -- but humans behave
in surprising ways, and their behavior isn't easily formalized in a
mathematical framework.

To put it another way, maybe this isn't one of those problems with a
perfect and elegant principled solution.  It might be an engineering
problem where no single clean solution suffices, and where workable
solutions tend to look messy.  I don't have any proof of that, just a
fear that it might be the case.  But we shouldn't let my fears stop us
from looking hard for good solutions to this problem, so please don't
let these remarks get in the way of the continuing the discussion.

More information about the cap-talk mailing list