[cap-talk] Define petname

[Jed at Webstart]

At 09:10 AM 2/23/2005, Ian G wrote:
>Tyler Close wrote:
>
>>
>>We have a fundamental disagreement over what a petname is.
>>
>>A petname is a mnemonic for a trust relationship. A petname is *not* a 
>>mnemonic for an entity.
>
>
>Well!  And there was I thinking a petname was a
>local and private name for a local and private
>resource.

 From my perspective there's more fire and fury in
this exchange than substance.

You refer to a "local and private resource".  Can't
that resource be a trust relationship?

>Could you define relationship, and define trust?

I think dictionary definitions suffice:

1.  Relationship: a state involving mutual dealings between entities

2.  Trust: Confidence based on past experience.

>I for one generally try and eliminate trust from
>serious conversations as it quickly slips into a
>definition of "what I want it to mean" which then
>means we've moved over to selling, not building.

I don't know, it seems pretty simple to me and has
nothing to do with selling.  Perhaps if you're concerned
about how to develop such trust, but there again that
isn't the business of the Petname but of the user.
The user develops trust in the relationship, the
Petname provides the best technical assurance
that we can provide that the relationship remains
fixed - i.e. the same one that we've developed the
trust in.

>People build these things, and if we do not know
>what a thing is, this will slow us down.  I think as
>a practical issue, a petname can only name a
>local resource, and that resource may hopefully
>raise relationship information in the human's
>mind, but there is a difference.  This is more or
>less the point that Nick brought out.

That "local resource" is exactly the binding between
the user assigned "Petname" and the assurance of
communication with a known entity - based on our
best technical means.

>>When the user is deciding how to evaluate information or actions 
>>presented by a web page, only the trust relationship is relevant. In 
>>fact, the user should actively ignore the site's identity. The key 
>>question is whether or not the user has built up enough trust to 
>>authorize the site's use of a given personal detail.
>>
>>The situation is analogous to the way a capability OS implements access 
>>control. When deciding whether or not to grant a request, a capability OS 
>>does not consider the identity of the requestor, only whether or not the 
>>requestor possesses the required capabilities. Similarly, when deciding 
>>how to react to a web page, the user should not consider the identity of 
>>the website, only whether or not the trust relationship warrants the 
>>action. Think of a trust relationship as being like a C-list. A petname 
>>refers to a trust relationship in the user's brain in the same way as a 
>>pointer refers to a C-list in the kernel's RAM.
>
>Well, maybe.  We want the petname to refer to that
>relationship, but we cannot guaruntee that it does.
>About all we can do is guaruntee that a petname
>refers to a key, and a key has been used before.
>And even that is challengable at the margin.

I'm not sure what you're questioning.  Are you questioning whether the 
binding with
certificates signed for a given organization is adequate to assure actual 
communication
to that organization?  That is you're questioning whether the technology of
binding communication by what's in a certificate is technically adequate?
In that case it seems to me we should either improve it or go with the
best we have.  I believe this is a situation where if we can provide better
protection (e.g. from phishing) we should do so and get it out there.  It can
always be improved at a later time.

>>The goal of the petname toolbar is to get the user to start thinking 
>>about his trust relationships and making effective use of them. To this 
>>end, we want the user to tell the browser about his trust relationships, 
>>so that the browser can remind the user about them as appropriate. For 
>>these reminders to be most effective, untrusted sites must not have an 
>>associated petname. The absence of a petname makes it clear that there is 
>>no trust between the user and the website.
>
>I don't see why the user can't type in "dodgy porn site"
>as the petname?  This is the essence of relationship;
>she has worked something out about that site in the
>past, and may decide she's seen it a few times and wants
>to set that 'trust' in negative form as well as positive form.

That seems an entirely reasonable use of the Petname to me - though
I'm not sure I would waste my time on that particular example.
On the other hand a site that claims to be Paypal like
the original Schmoo example (which I notice they have changed
somewhat) I might label as FAKE! or the like - though I'm sure other
examples are possible and "untrusted" should suffice (though
I still prefer to distinguish between "untrusted" and "unknown").

>>I made this point to you when reviewing your article, but you never 
>>responded and it seems the point didn't fully stick. Petnames are not 
>>about naming websites. Petnames are about remembering and applying trust 
>>relationships.
>
>Well, we all need to go back to class and learn again.
>AFAICS, the system I'm working on now uses petnames,
>and they are not totally for the purpose of trust.
>
>Can we get an objective definition of petname, one that
>does not use the word 'trust', which lacks objectivity?

I gave it another shot in a recent email and haven't yet gotten any feedback:
_________________________________________________________
The Petname mechanism is a tool that allows users to associate a
name (the "Petname") with a safe binding to a known organization
on the Web.  Such a name binding can help users avoid "phishing" attacks.
If a user sees a bound Petname in the toolbar they can have confidence
the site they are communicating with is the same organization that they gave
the Petname to.  The Petname tool can help users build up trust relationships
with organizations on the Web.
__________________________________________________________

Again too wordy, but does it capture a less controversial description of
the value provided by the Petname mechanism?

--Jed http://www.webstart.com/jed/