[cap-talk] Firefox breaks the principle of identifiability
Jed at Webstart
donnelley1 at webstart.com
Tue Feb 8 14:12:47 EST 2005
At 07:34 AM 2/8/2005, you wrote:
>Jed Donnelley wrote:
>
>>
>>Forget the tedious typing. You give them your smart card (or something
>>like) and they add a Petname binding to it.
>
>
>This isn't a petname. At least as far as I
>know a petname must be chosen and set
>by the owner. If it is suggested by some
>other agency, it is a nickname. Now, if
>your model is that they give you a nickname
>and you then elect that as a petname, that
>would be ok.
>
>(This might sound picky ... but the concept
>of petname is quite rigourous in that it is
>between the user's mind and their agent.
>If that changes, then *all* security bets are
>off, I suspect, and we have to go back to
>the drawing board.)
In what I hope is positive criticism I do believe there
is a fair amount of what I feel is counterproductive
'pickyness' going on generally in this discussion.
I'm hopeful that we can separate out the basic
mechanisms available from implementation details.
<As I noted elsewhere in a later message> of course
the Petnames are managed by the user. The interface
could look something like:
"Bank of America suggests the binding of the name
'Paypal' with the URL https://www.paypal.com/
and the certificate fingerprint:
A9:04:4D:C2:74:5E:05:D9:28:44:E0:8C:53:E2:31:9A
The 'Paypal' Petname is available. Would you like
to assign this name as above?"
It's your software presumably trusted with the right
to make Petname bindings. It has access to the information
from your bank (perhaps even binding some of its
identification to its local Petname...) from the card
or perhaps from a previously known Web site.
It presents that information to you and lets you
choose the Petname binding if you like.
OK, now before anybody gets carried away criticizing
yet more details of that implementation, please first
try to think about whether the criticism is about the
implementation or the basic mechanisms. If the
implementation, perhaps you can suggest a better
implementation. Maybe one that's more user friendly
or perhaps one that overcomes some flaw apparent in
the above. I don't care too much about that
aspect of things. I believe such things will work out
over time.
What I really want to hear are criticisms that suggest
fundamental flaws in the available mechanisms/tools.
For example, I feel that merging of the URL with the SSL
certificate fingerprint adds security to the Petname binding.
I'd be interested to hear criticism of that underlying
mechanism.
>>You bring it home and plug it into your system with your browser running
>>and the binding is uploaded. Or if you have secure access to their Web
>>site you can pull down the binding from there.
>
>
>Ah, this is more akin to an introduction.
Fine - call it what you like. I'll try to adopt any agreed upon language.
From my perspective the fundamental nut of the mechanism is the
ability to communicate some trust from one trusted entity to
another, in the case under consideration where they both
speak digital. And of course the communication is to a user
at a browser ultimately using a Petname or Petlogo. I believe
the "tedious typing" criticisms are bogus as I feel they apply
only to the interface between analog and digital.
The thread of getting here from "Firefox breaks the principle of
identifiability"
seems a rather long and torturous one, but I believe I can still follow
the pieces that led us here.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list