[cap-talk] On the importance of being "untrusted"
list at waterken.net
Tue Mar 1 23:15:25 EST 2005
On Mar 1, 2005, at 1:13 PM, Jed at Webstart wrote:
> As with David Hopwood and as noted before, I prefer the notation
> "unnamed" to "untrusted".
I suspect that you and David want to use the term "unnamed" because you
want to name relationships, regardless of whether they are positive or
negative relationships. I chose the term "untrusted", and used the
green highlighting, specifically to discourage this practice.
Naming a negative relationship creates user expectations that the
petname tool cannot meet. If the user comes to believe that the petname
tool will provide bright red flashing lights when he follows a
hyperlink to a spoof site, the user will be at risk when these alarms
don't go off when he visits a spoof site. It is impossible for us to
reliably identify spoof sites. Even if the user tells us that a
particular certificate corresponds to a spoof site, the spoofer can
simply change certificates to avoid having the negative petname
The best we can do is provide bright green flashing lights when the
user visits a site with a positive relationship. All we can
definitively say is there is some trust, or there is no trust. If the
green lights don't go off, the user should be suspicious.
For a fail-safe user interaction model, the distinction provided by the
petname tool must be positive relationship or else no relationship (ie:
"untrusted"). Trying to identify negative relationships yields a
The web-calculus is the union of REST and capability-based security:
More information about the cap-talk