[cap-talk] Firefox breaks the principle of identifiability

[Jed at Webstart]

(sorry for the somewhat delayed response)
At 05:54 AM 2/8/2005, David Wagner wrote:
>Jed writes:
> >You give them your smart card (or something
> >like) and they add a Petname binding to it.
>
>I'm sorry to be such a curmudgeon here, but--
>this doesn't sound like a solution I can get terribly excited about.
>
>First, this requires absolute trust in "them".
>"them" can add malicious Petname bindings without limit.

No, you can both see and control the Petnames that are
uploaded when you access the information on your card.
Hey, this is easy as I'm making it up as I go along.  Still,
I believe the nay saying position is way over stated.

>So from a security point of view, what this accomplishes is
>nothing to jump up and down about.

What it accomplishes is exactly the secure communication
of a trust relationship from one digitally connected entity
to another.  What more can you ask>

>Second, the useability factors here are lousy.
>You mean I can't learn about new sites by word of mouth?
>Gee, that sucks.

 From my perspective that drives one back into the interface
between the analog world and the digital one.  For anybody
who speaks digital the same communication of trust is
of course possible.

>Maybe this is the best we can do and still remain secure.  Could be.
>But if so, this is cause for lament that we can't solve people's problems
>better (not cause for pride in the elegance of our abstractions).
>
>Sorry to be so negative.

Indeed.  I wish I could better understand the reason for the negativity.
 From my perspective the available tools and their application seem
quite appropriate and effective to the task of communicating trust.

> >I see, you got the binding to your bank and not to Paypal directly, but
> >that's fine.  So far so good.  Nothing tedious or insecure so far from my
> >perspective.  So far you've trusted your bank, but of course you're
> >trusting them to some extent with your money in any case.
>
>I don't buy that last statement.  If I let my bank create arbitrary
>Petname bindings for me, they can spoof not only themselves, but they
>can spoof other entity's sites.

You seem to be assuming more trust that I intended - as noted above.
Does the above refinement that notes user control over the Petnames
mollify you?

>I trust my bank with my money (under
>certain conditions), but I don't have absolute trust in them.  You seem
>to be saying that your smartcard protocol requires no additional trust
>in the bank (over the trust that was already necessary in the absence
>of the smartcard), but I don't think that is accurate.  I think the
>smartcard makes me vulnerable to the bank in new ways that wouldn't
>be a risk if I didn't use the smartcard protocol.

To me it seems you're focusing on the wrong aspect of the communication
and embellishing the mechanism - e.g. giving more control to the bank.
I don't believe this is a fundamentally difficult problem.  Perhaps if you
do you can suggest where you believe the problem lies and we can
focus on that area rather than continuing to add problems to implementations
that I suggest.  Better yet, just consider Tyler Close's suggested 
implementation
and suggest problem areas there - as his mechanisms are documented on
the Web.

--Jed http://www.webstart.com/jed/