[cap-talk] On the importance of being "untrusted"

[Tyler Close]

On Mar 1, 2005, at 1:13 PM, Jed at Webstart wrote:

> As with David Hopwood and as noted before, I prefer the notation 
> "unnamed" to "untrusted".

I suspect that you and David want to use the term "unnamed" because you 
want to name relationships, regardless of whether they are positive or 
negative relationships. I chose the term "untrusted", and used the 
green highlighting, specifically to discourage this practice.

Naming a negative relationship creates user expectations that the 
petname tool cannot meet. If the user comes to believe that the petname 
tool will provide bright red flashing lights when he follows a 
hyperlink to a spoof site, the user will be at risk when these alarms 
don't go off when he visits a spoof site. It is impossible for us to 
reliably identify spoof sites. Even if the user tells us that a 
particular certificate corresponds to a spoof site, the spoofer can 
simply change certificates to avoid having the negative petname 
displayed.

The best we can do is provide bright green flashing lights when the 
user visits a site with a positive relationship.  All we can 
definitively say is there is some trust, or there is no trust. If the 
green lights don't go off, the user should be suspicious.

For a fail-safe user interaction model, the distinction provided by the 
petname tool must be positive relationship or else no relationship (ie: 
"untrusted"). Trying to identify negative relationships yields a 
fail-open model.

Tyler

---
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/