[cap-talk] Petname Tool at W3C workshop

[Jed at Webstart]

At 11:13 AM 2/16/2006, Tyler Close wrote:
>Hi all,
>
>My paper on the Petname Tool for the "W3C Workshop on Transparency and
>Usability of Web Authentication" was accepted. The workshop home page
>is
>
>http://www.w3.org/2005/Security/usability-ws/Overview.html
>
>The paper I submitted is at:
>
>http://www.w3.org/2005/Security/usability-ws/papers/02-hp-petname/
>
>The paper includes an acknowledgment for the contributions of the
>members of the cap-talk mailing list. Thanks again for your help
>developing the Petname Tool.

I read the above paper with interest.  Short and sweet.

There are a couple of points I'd like to understand about the "A step further"
section where you discuss:

"A further step would be to bind authorization tokens, such as passwords,
to the cryptographic designator of the site they should be submitted to."

Did you intend to refer to passwords as "authorization" tokens
rather than as "authentication" tokens?  Was that intended as something
of a dig at ambient authority sorts of authorization mechanisms where
there is first an authentication to identify the user (ambient authority)
and then a separate mechanism to determine the authorizations of
that user?

Then when you describe a mechanism where a "...browser's password manager
should generate passwords on behalf of the user and autofill login forms with
the user's username and password.", I wonder how the username gets created
with such a mechanism.  This has always seemed an awkward situation to me,
particularly with regard to conflicting names. Since I consider the username
superfluous, I find it particularly irritating.

I wonder why you didn't plug your YURL scheme in the above?  Isn't it really
something like a YURL that the user (the person, not the computerized 
"username")
needs for remote authorization?  With such an approach there is no 'username'
needed.  Any binding to a person happens directly to the person, e.g. 
with their
real name, perhaps address, etc., rather than binding through an intermediate
'username' that can often times be a source of confusion (e.g. 
conflicting names)
but to my understanding provides no value in itself.

One other minor point about the paper (perhaps it isn't in final 
form?): I have always
thought it a good idea to spell out technical abbreviations once in 
such papers.
The one that struck me was UI - User Interface.  Next might be SSL - Secure
Sockets Layer.  Maybe WWW and URL are enough in the language these days
that they don't need to be spelled out when first used in a 
paper?  If there's a common
style for such technical abbreviations these days I'd like to hear about it.

--Jed http://www.webstart.com/jed/