[cap-talk] A petname toolbar for Firefox

Tyler Close list at waterken.net
Mon Feb 21 19:10:20 EST 2005 

On Feb 18, 2005, at 5:35 PM, Jed at Webstart wrote:
> Good idea.  Thanks for setting this up Tyler!  Here's my initial 
> experience:
>
> 1.  I needed to allow www.waterken.com to install the software.

I've added a note to this effect in the installation instructions. 
Thanks.

> 3.  In following the instructions on the above Web page it was a 
> little awkward in that the Petname toolbar wasn't named and just 
> appeared as a blank form window.  There was nothing "Petname" about 
> it, though if I can figure it out I guess others can.

Yes, I haven't been able to figure out how to get a "Petname" title to 
appear in the toolbar palette. Documentation of this feature of XUL is 
extremely sparse.

> ...  Now having gotten some experience with this Petname toolbar, here 
> is the thought that most strikes me:
>
> To get effective protection from such a mechanism I believe it 
> important that there be some mechanism to warn a user if they enter 
> data into a site that is "untrusted".  Of course I understand that 
> there are trust issues even to reading data.  Perhaps one should have 
> the option of being warned about even viewing data from untrusted 
> sites, but I definitely think there should be an option (which I 
> believe should be the default) for getting warned about submitting 
> data to an untrusted site.

So, there is a warning. The petname toolbar does show "untrusted", 
indicating that you are submitting data to an untrusted website. It's 
just not very pushy about it. ;)

Ping has also suggested this more intrusive form of warning. I am still 
unsure about it. At first, it seems like a good set of training wheels 
to encourage use of the petname toolbar. Further thought makes the idea 
seem more dubious.

The user should *not* make a petname for every site he interacts with, 
only for the sites for which he extends some trust. A dialog which 
forces the user to create a petname for an untrusted site creates a 
misunderstanding of the purpose of the petname toolbar and builds bad 
user habits. It also has the side-effect of making the petname toolbar 
seem like an annoying bit of homework that constantly pesters the user.

In "The Humane Interface", Jef Raskin argues that these types of 
messages from the computer to the user not interrupt the user's 
workflow. The user may know very well that he's using an untrusted 
site, so having the computer interrupt the workflow is an unwanted and 
unneeded distraction. I think this argument is applicable in this case. 
I think it's better for the petname toolbar to always have the data 
displayed and ready to be used, but not interrupt the workflow.

> On the implementation side I want to know how the binding between the 
> Petname and the site actually works.  If the sites certificate is 
> changed will it become untrusted?

No. The relevant details are quoted below. Just to recap, the browser 
stores a binding of: ( domain name, CA public key) to petname.

>   R.e.:
>
> On Feb 18, 2005, at 8:36 AM, Ka-Ping Yee wrote:
> >  There's one thing i
> > don't understand, though.  Why do you store the petname keyed by
> > the root CA's fingerprint instead of the site's fingerprint?
> > (I see that you still use the domain name so that different
> > domains signed by the same CA are distinct, but i don't see why
> > the CA's certificate needs to be involved at all.)
>
> I'd be interested to know how Ka-Ping Yee figured the above out.  It 
> wasn't obvious to me.  In the above case then it would seem that the 
> Petname binding will still 'expire' when the CA certificate expires.  
> E.g. it seems that many of the Verisign CA certificates expire in 
> 2028.  I guess your attitude is that if things last that long then you 
> will be delighted?

I am hoping that 20 years or so will be enough time to deploy HTTPSY, 
giving sites full control over their certificate lifecycle. I expect 
changes in root CA certificates to be handled via an introduction of 
the new site by the old site. For example, Ameritrade, an online stock 
broker, recently did a site redesign. The old site explains this and 
provides a link to the new site. If using HTTPSY, these GUI update 
events could be made to coincide with the introduction of a new CA 
public key for the site. I expect marketing departments will continue 
to ensure that GUI fads have a faster lifecycle than pubic keys.

> Thanks for putting something out there to make this discussion more 
> concrete Tyler!

And thank you for the feedback.

I have a fantasy that the cap-talk list could make a group 
recommendation of the petname toolbar to the Firefox project. Perhaps 
that's too ambitious, but if so, I want to make sure it's not for lack 
of opportunity.

Tyler

---
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/

More information about the cap-talk mailing list