[cap-talk] Firefox breaks the principle of identifiability
Ben Laurie
ben at algroup.co.uk
Tue Feb 8 16:42:13 EST 2005
Karp, Alan H wrote:
> Ben Laurie wrote:
>
>>Let's say I start with actually visiting my bank, and getting the
>>fingerprint of their cert. I then tediously type that into my
>>machine.
>>Now I can go to the bank's website, and find their trustable link to
>>PayPal. So, I go to PayPal and transfer some money from my
>>bank into my
>>PayPal account. I want to buy something with that money, so I follow
>>PayPal's trustable link to eBay. On eBay, I find Joe Sixpack
>>selling the
>>something, so I follow eBay's trustable link to Joe Sixpack.
>>Joe Sixpack
>>has a friend, Evil Bastard, and a trustable link to him on
>>his website.
>>Now I have a trustable link to Evil Bastard (who Joe Sixpack
>>described
>>as escrow.com) I give my money to Evil Bastard, who promptly
>>disappears,
>>as does Joe Sixpack.
>>
>
> Then I've overinterpreted the meaning of "trust" in "trustable link". A
> trustable link is only saying "this link refers to the party I call X".
> It's up to me to decide how much I trust X based on information from the
> introducer and how much I trust the introducer. In the case of my bank
> introducing me to PayPal, I'm likely to assign a reasonable degree of
> trust. First of all, PayPal is widely known not to cheat people.
> Second, my bank stands to lose my business if it introduces me to a
> phony PayPal.
How do you know the PayPal your bank introduced you to is the PayPal you
are so keen on?
> I'd probably make a similar assumptions about PayPal's
> introducing me to eBay, although perhaps with less assurance, since my
> business relationship with PayPal isn't as strong as with my bank. I
> can trust eBay's introduction of Joe Sixpack only to the extent that
> eBay is willing to stand behind it.
How much do you think your bank would be willing to stand behind an
introduction to PayPal or eBay? I contend that if they were asked to
provide any kind of assurance their response would be "find PayPal on
your own, moron - have fun".
> In this case, that's the limit of
> the insurance eBay provides. I have no basis to rely on any
> introductions provided by Joe Sixpack. Doing so is just foolish.
And this will be the status of _all_ introductions in the real world.
More information about the cap-talk
mailing list