Recently, the Shmoo Group discovered that Firefox is vulnerable to precisely the exploit that i predicted in my 2002 paper—Ping

➡

The central point of my essay on the petname toolbar is that phishing is the result of name conflation.—Tyler

➡

So how, in this system, does the user come to trust Paypal (as opposed to someone pretending to be Paypal)?—Ben

➡

If I’m understanding the discussion so far, I think the answer is that the issue of trust is separate from the issue of identity.—Jed

➡

Indeed, but I am no closer to understanding how the user ever gets to a state where they can do anything useful.—Ben

➡

I gave some examples in my next message on this topic. Perhaps you could address them.—Jed

➡

I agree it solves the problem of confusable URLs.—Ben

➡

What don’t you believe is practical?—Jed

➡

Let’s say I start with actually visiting my bank, and getting the fingerprint of their cert. I then tediously type that into my machine.—Ben

➡

Forget the tedious typing. You give them your smart card (or something like) and they add a Petname binding to it.—Jed

➡

I’m sorry to be such a curmudgeon here, but-- this doesn’t sound like a solution I can get terribly excited about.—David

➡

No, you can both see and control the Petnames that are uploaded when you access the information on your card.—Jed

➡

Yes, that’s better, but still (I suspect) more dangerous than having users choose their own Petnames. See my response to Bill Frantz.—David

➡

The example chosen was somewhat stylised.—Ian

➡

While I think of it, it is well worth the effort to look at the two graphics I snaffled in today’s blog entry:

<financialcryptography.com>—Ian