[cap-talk] A petname toolbar for Firefox

Ka-Ping Yee cap-talk at zesty.ca
Tue Feb 22 17:52:57 EST 2005 

On Mon, 21 Feb 2005, Tyler Close wrote:
> Given this warning message phrasing, I also agree with Ping and Jed. I
> remembered Ping's proposal as having a warning message more like: "You
> have not assigned a petname to this site. The site would like to be
> called paypal.com".

You're right -- an older version of the warning message did look like
that, in an article i was writing at the time.  I ended up thinking
about a variety of possible ways to word the message.  On the whole
i believe we both agree that the message should not be a command (e.g.
"You should assign a petname now.") but a statement of fact (e.g. "This
site is a stranger.")

This would be consistent with the general theme of user-initiation,
which i think is a valuable way of thinking about usable security design.
That is, the user decides what he wants to do, and then the system figures
out how to accomplish it securely.  As opposed to, the system tells the
user how he should change security settings, and then the user follows
instructions blindly.  The user should be proactive, not reactive.

> I think it is important that there also be a way to turn off these
> warnings, other than by assigning a petname to an untrusted site.
> Interacting with an untrusted site will be a common task, so the
> clutter would be annoying. There needs to be a way to cast off the
> training wheels, without undermining the protection model.

I think the distinction between naming and trusting is an important
distinction being missed here.  What you refer to as "untrusted sites"
are really un*named* sites.  Whether or not i have named a particular
entity is orthogonal to whether i trust it to do a particular thing.
(To be sure, when i name something, the name mapping itself should be
trustworthy, but trust in the mapping is not the same issue as trust
in the named entity.)  When i name something, that does not imply
that i trust it.  The name also can be useful to me as an indicator of
untrustworthiness.

In my opinion, the petname system's job is to maintain reliable name
mappings for me, not to make assumptions about trust.  In general,
software can provide me information (whether that consists of gathering
external information or augmenting the reliability and capacity of my
own memory) to help me decide who to trust, but it can't decide *for*
me who i trust.

Therefore, yes, interacting with an untrusted site will be a common task,
and that is something we cannot (and should not try to) change.  But
interacting with an unnamed site does not have to be a common task; in
fact, in order to establish the name mapping system as a reliable and
natural part of normal workflow, we should strive to make that uncommon.


-- ?!ng

More information about the cap-talk mailing list