[cap-talk] Webkeys vs. the web, problem #2

[James A. Donald]

Chip Morningstar wrote:
> The issue here is that groups, representing collections of people, are in a
> sense fundamentally identity-oriented abstractions.  While groups, in this
> sense, may be a poor abstraction in general for access control, they seem like
> a pretty good abstration for regulating access to themselves.  And in any
> event, they are a pretty good abstraction for capturing the human relationships
> between the members: when I communicate to a group (say, the cap-talk mailing
> list), I am addressing the specific people who are members.  In this sense,
> it's not really about access control except secondarily.

We expect to use specialized tools for accessing groups - which tool 
could of course a web page containing a great deal of script.

We expect the tool representing us to simply know who we are, and the 
tool representing the group to simply know who we are, enabling us to 
talk to the group directly.  And if the group does not know us, we 
expect to introduce ourselves by name and shibboleth

I am saying "shibboleth", not passphrase, to remind everyone that this 
is ancient, built in human behavior that predates computers by quite a 
bit, and which computers must therefore accommodate.

We should be able to easily pass out access to the group, but not easily 
pass out our identity - this behavior is innate in our natures, and is 
indeed identity like and not capability like.  The nature of 
capabilities is that they *can* be passed around.

Now a door key capability like, but it is ours, and we don't pass it 
around, because it is a physical object, and it is not our nature to 
liberally hand over physical objects.  But since a capability is just 
information, we are apt to pass it around - which is what is designed 
for.  If we are not going to pass it around, it has to be something like 
a physical key - an object wrapped in behaviors that lead us to feel 
that if we give it to someone else, we do not have it any more.  Such a 
key does not belong in the same sort of user interface as a bookmark.

Bookmarks and buddy lists are existing implementations well suited for 
Zooko's triangle and some kinds capabilities - but not, however, 
identity like capabilities.  Identity like capabilities need to be 
wrapped in an interface that activates the same sort of feelings as a 
physical key.

Passphrases do in fact activate those feelings, for humans have been 
using shibboleths for a *long* time.

Passphrases are, however, vulnerable to phishing - queue the usual 
conversation about building SRP into the browser user interface.