[cap-talk] back to: First point of consensus

Ian G iang at systemics.com
Sat Feb 12 11:55:56 EST 2005 

Hi Jed,

(trying to clean up the backlog here!)


Jed Donnelley wrote:

>>
>> Well, the issue is that "how the petname
>> gets added in and used" is somewhat or
>> highly dependent on how the naming or
>> pointing is done.
>
>
> Certainly binding the Petname to a pointer
> of some sort (keys I think you call them in:
> http://www.erights.org/elib/capability/pnml.html
> ) is dependent on the nature of
> the pointers.  There has to be an interface
> that supports such bindings.  However, if
> the binding is to a URL now and to a
> YURL or a fingerprint later - it seems to me
> that the base Petname mechanism still
> adds value (at least it's much less likely that
> there will be confusion in linking through a
> Petname - even if what it's bound to is
> questionable).


If the Petname mechanism binds to a URL
then it has to deal with URLs in the same
family.  A lot would depend then on how
well different domains were handled.  For
example wildcard SSL certs overcome this
at least in theory.

As we are talking about security areas, one
of the premises I have used - always challengable
of course - is to assume that the cert is in
place, and if not then we are dealing with
an insecure situation anyway.  That is, to
index off the cert makes a lot of sense.

...

> Please suggest specifics so that we can decide if
> our "First Point of Consensus" might be misplaced.
> I agree with Ben Laurie's original point that if we can't
> decide on specific approaches that seem to be promising
> to pursue to solve specific problems then it seems we are
> doomed to wallow around wasting our typing.


The two things that I see first off are that
a) absolute statements of security will lead
to a false sense of security, and b) without
a proposal as to how the petname is bound
and/or pointed within the target browser
(Ref: ZT) then it is a conceptual proposal,
so it isn't appropriate to say that it solves
phishing.

iang

-- 
News and views on what matters in finance+crypto:
        http://financialcryptography.com/

More information about the cap-talk mailing list