[cap-talk] Phishing, YURLs, Petnames, (un)trusted channels
iang at systemics.com
Wed Feb 15 18:12:16 EST 2006
Jed at Webstart wrote:
> At 04:48 AM 2/15/2006, Ian G wrote:
>> Jed at Webstart wrote:
>>>> This fine if users understand this. However, I think most cannot be
>>>> expected to make this distinction. (As usual, this is a total
>>>> generalisation with no real evidence to back it up -- we can argue
>>>> over whether it's acceptable if people like).
>>> For me this gets back to the notion of KISS. I believe that if we
>>> can emphasize/promote/sell,etc. the idea of trusting only trusted
>>> channels of communication (sounds almost tautological) then we will
>>> have a solid and dependable model of communication. From my
>>> experience just about everybody I've dealt with including grandma can
>>> understand a notion like a trust label such as the lock icon. From
>>> my perspective the problem with that mechanism (e.g. as seen in many
>>> examples) is that it's build on what might be a workable economic
>>> model (money for Verisign, RSA, and others), but not on a sound
>>> technical model (e.g. the recent phishing example and others).
>> Right. It all depends who is doing the selling.
> I hope and expect that eventually the selling will come down to meeting
> the needs of end users.
:-) That might be hopeful. There a severe shortage of
evidence that major systems and this one in particular
were designed to meet the needs of end users. To some
extent I discuss this decade old story here:
(Skip down to the 10 points.) The point being that
when we discuss the PKI for secure browsing, try not
to rely too much on what end users need.
>> If it is "the caps crowd" then the Petname bar
>> may be the right way to go, because of its KISS
>> rating. If we widen it out somewhat to a larger
>> community, then hypothetically Trustbar becomes
>> more attractive.
> Could you define what your measure of "width" is in the above? It
> sounds to me like you're referring to different audiences and perhaps
> interest groups.
Yes. To the extent that it is not deliberately vague,
I'd say these things:
* Petname is popular in the caps community
* in the community that considers the practical
issues phishing, fraud, browser security, there
are a number of good ideas floating around:
+ CA logo branding
+ 2factor tokens
+ DSS / security skins
+ "phone home" centralised DBs
without talking about the merits of each.
* as more and more ideas wash around, a tool
that does more is more attractive
* as the institutional mind grows, it leaves
behind the KISS aspects
In that environment, Trustbar might do better than
Petnames, not because it is better, but because it
does more, and therefore appeals to a larger audience.
This is completely hypothetical, to make the point,
and we can note that HP for example is apparently
not following that trend.
>> Wider still, (it is reported to me that) the way
>> Microsoft is thinking is brand, logos, Verisign,
>> partnerships, etc. Which makes sense. For them,
>> the workable economic model of "money for CAs,
>> liability shifting for Microsoft" is a good deal,
>> and in comparison Petname and Trustbar are toys
>> because they don't answer important institutional
> Institutional questions from the viewpoint of users or of vendors?
> seems to me there could be a conflict of interests. I'm hopeful that
> ultimately the interests of the users will prevail, but in the short run
> it seems to me the vendors are making hay at the user's expense.
Same as it ever was! Actually, I'd say that the
vendors - some of them - made hay in 1995, and now
the ones that are left are not making enough hay
to face the future.
>>> I believe that any mechanism with a comparable user interface would
>>> also work. For example using the petname toolbar for Web access
>>> seems fine to me. I believe there could as easily be such a
>>> mechanism for email - though I don't know of one at the moment.
>> Email is easy. The users don't need a secure
>> introduction method, period. Just distro the
>> self-signed keys and let them establish relationships
>> in the SSH model. That's how PGP works (sans WoT,
>> in most of the world).
> When you say "Email is easy" I assume you mean in principle or perhaps
> for sophisticated users.
Sorry, I meant that email is easy to implement and
design as a secured system, in the sense that we
know how to do that now. It is only because of some
relatively simple, tractable issues that we don't
have secured emails. For S/MIME it is a brain-
dead design where certs require permission, and
for OpenPGP it is the lack of integration within
major mailers. Between the two there is complete
> I've got an extensive web of trust that I use
> with pgptool and integrate with my current Eudora mail tool. These
> mechanisms work, barely, but there's no way my mother in law could use
> them. There's no mechanism for easily transferring trust (e.g. from a
> trusted email to a trusted Web site or visa versa), no simple and
> effective labeling for trust (e.g. like the petname toolbar for email),
We are possibly talking at cross-purposes. I
read the above as "email in isolation" rather
than "email as integrated with ..."
> If there are good integrated packages that people are using and
> recommend, I'd like to hear about them and give them a try. I'd like to
> have something that I could recommend to friends. I can't generally
> recommend what I use.
You are right. I was talking at the design
level, not the availability level.
More information about the cap-talk