[cap-talk] Webkeys vs. the web

Karp, Alan H alan.karp at hp.com
Thu Apr 2 11:32:26 EDT 2009


James A. Donald wrote:
> 
> The idea of an authority carrying bookmark is very close to the idea
> that everyone is familiar with - that you should go to your bank and so
> forth by your bookmark, not someone else's bookmark.

Protection against phishing is why people trust their bookmarks, but that's not the same thing as keeping their bookmarks private because they carry authority.  In fact, I don't have any bookmarks that carry authority.  Further, my concern goes beyond bookmarks to any URL the user might share, such as the webkeys on a page.  
> 
> People instinctively grasp the idea that this is mine, so I can trust
> it, and should keep it close and not let it go, and that is someone
> else's, so not necessarily trustworthy.

You are making my point for me.  People don't think of URLs as carrying authority.  For example,   

	You might like the online bank I use.  Here's my banking bookmark.

	https://investing.schwab.com/trading/start?KC=YES&TARGET=_top&NoProxy=Yes 

	Go set up an account.

That's not a problem because it takes you to a login page.  Had that been a webkey, you'd be able to take my money.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp




More information about the cap-talk mailing list