[cap-talk] Define petname

Nick Szabo szabo at szabo.best.vwh.net
Wed Feb 23 23:37:51 EST 2005 

Tyler's recent defintion is a big improvement:

> "A petname is a mnemonic for a set of granted authorities"

This is refreshingly straightforward -- I think we can get a lot farther 
analyzing petnames by starting with this.

Tyler goes on to elaborate:
> we must ask ourselves questions that reify these
> authorities. For example, "Am I willing to type my social security
> number into this web page?". The petname toolbar helps put us in the
> right context to answer this question by reminding us which trust
> relationship, or set of authorities, we are querying.

This approach helps to clarify thinking, because there are 
different kinds of trust and different kinds of authority to grant.
Alas, one cannot separate a "trust relationship" from an entity 
(whether that entity is a website, individual, organization, 
every member of the local Rotary Club, everybody one knows who likes 
Mozart, etc.) In line with the subjective petname approach, it is 
ultimately up to the user to decide what that "entity" is, but it's 
still thought of as an entity, and how the user defines the entity will 
in practice based largely on "hints" or "introductions", i.e. outside 
information of varied reliability (e.g. a CA to define an "organization").

A better way of saying a user "trusts" an entity with certain 
authorities is to say that the user has opinions about what authorities 
he would be willing to grant to the entity in exchange for benefits expected 
from those grants.  A better term than "trust" for this might be "mental 
matrix", the hypothesis the user has formed about what kinds 
of authorities to grant to the entity.  This matrix is not articulated, 
but tacit, and there are mental transaction costs and potential errors 
whenever we ask a user to articulate part of that mental matrix by 
specifying an authority to grant.  If a user was to do a perfectly 
secure job of maintaining pet names, he would need to keep a perfect 
mental access matrix in his mind and articulate it perfectly to
the computer.  Reality will be an error-prone and costly approximation.

For example, a user may, upon reading an e-mail from his bank that says 
to go to "wamu.com" and put in his password, suddenly realize how important the 
security of his bank account is, and follow the instructions, even though the
site is "untrusted" or "unnamed", like most of the other sites he uses, 
because the he hadn't thought much about the security of his bank account 
before he got that e-mail.  The user now expects a great security benefit 
from giving up some information, and does so.  

The quality of such "hints" and "introductions" varies quite a bit.  
Phishing is hint attack, a bad hint that looks like a good one.
If the user worked harder to learn what features like the Petname 
Toolbar are for and then worked harder to give petnames to the websites 
he used, had enough knowledge and presence of mind to give a petname to 
the bank when he set up his account, or similar, or was more suspicious 
of his e-mails -- i.e.  if the user incurred greater mental transaction 
costs -- such confusion would be reduced.  If the user got more reliable 
information in the first place both confusion and mental transaction 
costs would be reduced.  It's this outside information that is crucial.  
Keeping a mental access matrix is a complex and error-prone task, but can be 
greatly improved with good outside help.

Thus a petname is a mnemonic for a set of granted authorities
_and_ the user's conception of and opinions about the grantee relevant
to granting such authorities.  This suggests that the petname could consist 
of two parts, one refering to the mental access matrix, the other refering the 
authorities granted by the computer -- in other words one part a 
mnemonic for the entity and opinion (e.g. "dodgy porn site"), the other 
a mnemonic and/or link to the granted authorities.  The list of 
such authorities granted by the current application might be
invoked by clicking on or mousing over the petname, where those
authorities take the form of capabilities or similar that the 
computer can keep track of.  

Most crucially, petnames must be connected to reliable sources of 
information to help the user (and even the user's computer
directly) form accurate conceptions of the entities and the 
kinds of authorities they should be granted, including reliable 
"hints" for the petnames themselves.  

And now to Jed's definition:
> The Petname mechanism is a tool that allows users to associate a
> name (the "Petname") with a safe binding to a known organization
> on the Web.  

The binding is not necessarily "safe", the organization is
probably not very well "known", and there are other entities
one might want to grant authorities to besides organizations.

> Such a name binding can help users avoid "phishing" attacks.

A plausible claim, but if the mental transaction costs are
large then the help will be insignificant.  Much more help can
come from the user, or the user's computer directly, being informed by
accurate information.

> If a user sees a bound Petname in the toolbar they can have confidence
> the site they are communicating with is the same organization that they gave
> the Petname to. 

This is particular to the case of CAs, and depends on how reliable
(not merely how well trusted) the CA actually is.  Also, it depends
on how the CA comes up with the label in the "O" field, and what
that label allows the user do (remember a brand name?  find out where
to serve process in a lawsuit?)

Nick Szabo

More information about the cap-talk mailing list