[cap-talk] pet names and sticky notes

zooko at zooko.com zooko at zooko.com
Thu Feb 16 17:25:31 EST 2006


(The intended reader of this message is already familiar with the concept of
pet names [1, 2, 3].)


Dear cap-talk:


part one: "sticky notes" are a better marketing term than "pet names"

I've observed "marketing failure" when trying to persuade security engineers to
use the petnames technique for securely identifying repeated peers.  Many
engineers were averse to the idea for reasons that I didn't understand.  In
fact, some people that I have talked to have heard of the idea but have never
learned its meaning, which might indicate that the name itself -- "pet names"
-- is discouraging people from learning more.

Recently I've had the experience of marketing successes with a closely related
concept: "sticky notes".

A sticky note is a persistent record of the user's notes about a remote object,
which is securely stored by the user's agent and securely linked to the remote
object by the user's agent.  "Sticky notes" are currently in use in on-line
poker sites (if one considers the central server to be considered the user's
agent in this case).  The metaphor presented to the user by such sites is
precisely that of a sticky note, attached to the other player, into which the
user can type any data that they please.


part two: sticky notes are one element of a pet name system

A pet name system typically comprises lambda names (mapping a secure local
label to a secure pointer) and sticky notes (mapping a secure pointer to a
secure local label), and often also includes nicknames (suggested values for
newly created secure local labels) and linked local namespaces a.k.a.
path-based names [4].  It may be useful to have a term to refer specifically to
the sticky note element of a full naming system.


part three: sticky notes alone might satisfy some needs

There are two differences between pet names as described in [1] and [2] and
sticky notes.

The first is that sticky notes are not used as lambda names.  The user never
starts with a sticky note and then looks up the object to which the sticky note
is attached.  Only the reverse lookup happens -- the user encounters an object
such as a remote peer and is then presented with the sticky note attached to
that object.

The second is that the information stored in the sticky note is not influenced
by the remote peer (except inasmuch as the remote peer can influence what the
local user chooses to write into the note).  This contradicts a common pattern
in pet name systems that a "suggested pet name" or "nickname" may be
transmitted by the remote peer and serve as a default or suggested value.

These two characteristics of sticky notes are useful for analyzing the security
properties of the approach and for establishing a conceptual separation between
sticky notes and related concepts such as nicknames, lambda names, linked local
namespaces, centralized names, etc.  Therefore, these two characteristics of
sticky notes are useful for "marketing" purposes -- to promulgate the idea.

These two characteristics may also have better security and usability
properties than pet names in some use cases.  More study is warranted.


I welcome your feedback on this issue.


Thanks to Brian Warner, Tyler Close, Wes Felter, Jon Callas, Phil Zimmermann,
Brad Templeton, Nathaniel J. Smith, Graydon Hoare, Marc Stiegler and others.


Regards,

Zooko

[1] http://www.erights.org/elib/capability/pnml.html
[2] http://www.skyhunter.com/marcs/petnames/IntroPetNames.html
[3] http://www.waterken.com/dev/YURL/Analogy/
[4] http://citeseer.csail.mit.edu/rivest96sdsi.html 


More information about the cap-talk mailing list