[cap-talk] Firefox breaks the principle of identifiability

Ian G iang at systemics.com
Thu Feb 10 12:26:30 EST 2005 

Marc,

formatting might be a bit screwed up here.

> > (What you seem to be saying is that in any cost/
> > benefit analysis you need to include a benefit / cost
> > related to some future expected target that you'd
> > like to achieve.  Seen in this way, you also have to
> > discount your target according to the perceived
> > value and the probability of ever getting the return.)
> 
> On the one hand, yes, of course. On the other hand, discount 
> rates are tricky -- if our ancestors had used discount rates 
> the way we sometimes use them today, we'd still be throwing 
> spears, the probability of successfully creating a reliable 
> bow and arrow would be too low to offset the effort of working on it.

Right.  The way the market solves this is quite
caustic - it lets a thousand entrepreneurs believe
they know the answer, and encourages them to break
their back on it.  Only 10 will survive, and as
long as 1 gets the right answer, we are saved as
a society.  (Hooray!)

Which is fine, there has to be a hundred different
efforts out there working on phishing.  We seem to
have a few of them right here.  And everyone believes
they have the right answer;  that's the nature of
the entrepreneurial process.

But that doesn't obviate the statistical observation
that 99% do not have the right answer.  Which leads
to my comments as to a) try and see what others are
doing and absorb that, to the limit of your time
available but no more...  and b) conduct as many
experiments as you can with as many ideas as you
can, because the market will tell you more than you
can possibly dream up on your own and on the whiteboard.


> The only way across the abyss (Service Pack 2 on the left, 
> Big Unused System on the right) I see at the moment is to 
> identify your best guess at a long term solution, then break 
> the journey to get there into a series of small steps each of 
> which produces short term benefit. You can't always get such 
> a blend of long term and short term, but it is worth a lot of 
> effort to find one.

Ok.  So we are travelling somewhat different paths.
I don't have a problem with that.  My own path is
predicated on the observations that a) browsing is
here to stay, b) SSL/PKI is an integral part of that
and is therefore here to stay, and c) the cert may
be a lousy trust vector as currently deployed, but
it is a key.

Hence the notion of installing just enough fixes into
the browser so as to use the key as the pointer and
the user as a supplier of relationship info.  It
seems acheivable in technical terms.  In project
terms it still faces an insurmountable resistence,
but Shmoo has shown us a lot of progress there.

iang

PS: are there any screen shots of CapDesk?
-- 
News and views on what matters in finance+crypto:
        http://financialcryptography.com/

More information about the cap-talk mailing list