Re: [cap-talk] Re: First point of consensus

[Tyler Close]

On Feb 9, 2005, at 12:56 AM, Ka-Ping Yee wrote:
>
> On Tue, 8 Feb 2005, Jed at Webstart wrote:
>> Given your Probably answer to #3, I assume you accept
>> that when one uses a Petname to identity a previously
>> bound site then doing so eliminates the danger of Phishing.
>> That sounds like an added value to - regardless of whether
>> there are other means of identifying sites or not.
>
> Yes, i believe that a petname mechanism, if designed and implemented
> well, will probably provide some value in protecting against phishing.
> But Tyler's proposed statement of consensus is a vastly stronger
> claim:
>
> Do you agree that the petname toolbar prevents phishing attacks
> as they are defined in this email?
>
> In my opinion, that is a false claim.  A single UI feature cannot
> "prevent phishing".  Whether or not a petname toolbar works to reduce
> the risk of phishing depends on its design and the context in which it
> is presented, in particular the other navigation mechanisms available
> to the user, as well as the user's understanding and training.

I was *not* claiming any of the following:
1. The petname toolbar could be incorrectly implemented and still work.
2. The petname toolbar could be presented in the wrong context and still
work.
3. The petname toolbar could not be undermined by new browser navigation
mechanisms.
4. The petname toolbar requires no explanation or user training.
5. The petname toolbar is foolproof.

Normally, I would expect all of the above to be understood. It seems
unreasonable to ask that any UI feature require no training and be
foolproof.

When I say the petname toolbar 'prevents' phishing, I am using the word
'prevents' in much the same way as I say a railing 'prevents' me from
falling off a ledge. If we are going to be language lawyers, then I'll
direct you to a dictionary and have you look up the difference in
meaning between 'prevent' and 'preclude'. My use of the term 'prevent'
is correct, and I believe you are mistaking its meaning with that of
the term 'preclude'.

I am claiming:
1. The petname toolbar conveniently presents all the information needed
to avoid a phishing attack.
2. An attacker cannot trick the petname toolbar into assisting the
deception.

> You call me "picky" for refusing to make an overreaching blanket
> claim.

I call you "picky" for attempting to paint me as making an overreaching
blanket claim that is clearly unreasonable. You have associated
additional and incorrect meaning with my statement.

> I say, "The real world is messy (especially when it involves humans).
> Get used to it."

Again, I am not claiming otherwise. I am only claiming that the petname
toolbar is a highly reliable and uncorruptible anti-phishing tool. It
is up to humans to use the tool.

In contrast, today's mechanism, the address toolbar is both unreliable
and corruptible.

>  I will not claim that the petname toolbar works until
> it has been tested in a user study and there is evidence for its 
> success.

This will certainly make for a much stronger claim. Obviously, I am not
claiming to have already gathered this evidence. My claim is based only
on study of the mechanism. Again, I thought this would be understood. I
was not asking others to claim to have done extensive user studies,
only to claim they had examined the mechanism and believed it would
work.

> (In fact, i'm working on designing such a study so that i can find out
> whether it really works.)

Thank you very much. I look forward to seeing the results and offer to
help you in any way you need.

Tyler

---
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/