[cap-talk] Webkeys vs. the web

[David-Sarah Hopwood]

Karp, Alan H wrote:
> Bill Frantz wrote:
>> Assume that you have a webkey based system which is initially accessed by
>> "logging on". That logon can be authenticated using a variety of
>> techniques, none of which are particularly capability oriented. Once you
>> are logged on, you are presented with a page which has all of your root
>> authorities, expressed as links.
>>
>> If all of these links open in a different page, getting back to your root
>> authorities is simple, since the root page is still open. Even if you close
>> the root page, you can get it back by logging on again.
>>
> That would work.  People are used to logging in again after a period of inactivity.  
> 
> The problem I have with this scheme and others proposed on this list is that
> people have developed certain use patterns for URLs that are incompatible
> with using URLs to carry authority.  Just the other day, I sent the link to
> a news item I saw at Schwab.  Since I was logged in, there was also a link
> on the page to where I manage my account.  Had this been a webkey system,
> my money might be gone.  (Oh wait, that already happened.)
> 
> I have become convinced that we cannot treat webkeys as normal URLs because
> people have become too used to sharing them.

I disagree, because sharing webkeys is an intended feature. As others have
pointed out, the scenario above does not describe a valid attack -- the news
item page will not have a direct webkey link to your account page (it might
have a link that requires reauthentication, but that is not a problem).

Do you have any other proposed attacks that would motivate treating webkeys
differently from (other) URLs?

-- 
David-Sarah Hopwood ⚥