Recently, the Shmoo Group discovered that Firefox is vulnerable to precisely the exploit that i predicted in my 2002 paper—Ping

To communicate about third parties, we need to first securely agree on a common semantics. The problem of secure general agreement is a property rights problem, and particular a property titles problem. It’s like agreeing on who owns the land, and what are its boundaries. I’ve tackled this problem in depth at <szabo.best.vwh.net> More information on the distributed database system that the secure title system is based on can be found at <szabo.best.vwh.net> Among the other things one can do with secure distributed property titles is set up secure public mappings between human-readable names, between names and addresses, and so on. In the secure titles system names are controlled by their owners, ownership can be securiely verified by third parties, and third parties can comment on the accuracies of any claims implied by the title (e.g. the relationship between human-readable names and network addresses).

On CAs: when I was working on a certificate authority, we considered certificates to be mappings from domain names (or other network addresses) to legal names. In other words, they were links from cyberspace into legal systems—they were "who to sue" certificates. Not trademarks, or otherewise human-readable names—we left that war to the domain name and trademark people. (Verisign, but not most other CAs, attempts to combine the anti-confusion and legal identity functions, but only because they also run a big chunk of the domain name system. Verisign’s bundling is not necessary— anti-confusion measures should be taken during DNS registration, not with certificate issuance). Turns out the only people who really want such legal IDs online are businesses. Credit cards and PayPal provide legal identities for individuals, and besides most individuals don’t want to otherwise surf with a permanent cookie that doubles as a "sue me" certificate.

You "trust" a Verisign-certified web site, in the ways and to the extents that you do, because if they screw up in an illegal way a government can arrest them, or you can sue them, or both. Beyond that the certificate has nothing to do with "trust", "reputation", and other such vague nonsense. Verisign does not check their credit rating, or test the quality of their goods. It probably does not even forbid certificates to known fraud artists (and it should not do so—it should leave such remedies to legal systems). They check Dun & Bradsreet, and Dun and Bradstreet checks with various government offices for business registrations, verifies physical addresses (so you know where to serve process), and the like. It is not a "reputation system". It is a link into legal systems.

And now to the problem at hand: phishing. To state the obvious, phishing is illegal, in the U.S., under common law and a variety of fraud and trademark statutes, and I doubt you can find a jurisdiction where it’s legal. If said laws could be enforced, there wouldn’t be phishing. The CA solution is a proposal to try to make such laws enforcable by allowing users to know whether they can call the cops on the person at the other end, or sue them, if the information they submit is abused in the future, or if it was obtained by fraud (e.g. phishing), or both. Whether this will work or not is an open question, but it’s nonsensical to discuss it with vague terms like "trust", rather than as what it is—an attempt to provide a secure link from the user’s perceptions into legal systems. Once that link is there, legal systems provide highly evolved security against name confusion, in the form of fraud, trademark, etc. law.

Should this law-link solution fall short, secure property titles provide another alternative—names, addresses, etc. as generally agreed property—that, like cryptography and similar strong security solutions, doesn’t depend, (except perhaps for its initial set-up) on a legal systems.

Nick Szabo—szabo

Nick, I guess the first link is this one? <szabo.best.vwh.net>—Ian

Please explain how I can sue someone in China from Canada. —Sandro

Sometimes you can’t, and a good "sue me here" certificate system would usually prevent a legally unreachable web site from getting "you can sue me in Canada" certificate. A Chinese site should not get a "you can sue me in Canadian court" certificate unless either Canada has comity with China with respect to the subject matter (here fraud), or the entity has reachable assets or business interests in the Canada and the local court has personal jurisdiction. A starting point for discussions of comity and personal jurisdiction over Internet activities, U.S. style (which is similar to Canada) can be found at <temple.edu>

To the extent a CA system falls short (especially with false positives, but also with false negatives) in failing to provide an accurate "you can sue me" certificate, it will be a less perfect solution to phishing. Maybe the problem you point to is fatal to the idea; OTOH maybe in the long run it won’t be a big deal. The jury is going to be out for a while yet.—szabo
 
 

The fact that the certificate permits no meaningful trust relationship between the user and the online entity is one of the problems. —Sandro

In this case, the user’s trust is placed in the legal system. This breaks down in situations where the user’s legal system has no jurisdiction over the entity that screwed him over. The fact that phishing may be illegal in the U.S. carries absolutely no weight in other nations.

Furthermore, calling the cops on some online entity is an enormous investment of time and effort when compared to real life where all the user has to say is, "The shop on 1234 Fifth St. stole my money." There is only one 1234 Fifth St where the local police have jurisdiction, and the user can not confuse the location or the shop with any other.—Sandro

Yet people are giving away credit card and other personal information quite freely. —szabo

Because all the information the user needs to make informed decisions is hidden behind the impenetrable "little black box" that is the user interface (or isn’t even there in the first place). If presented the proper information, the user can make more intelligent decisions. They will be able to distinguish the online equivalent of buying something off a truck in an alleyway, versus buying it at Walmart. They will then, hopefully, be a little more discriminating with their information.

The current situation of "personal info free-for-all" is akin to those annoying dialog boxes to which the user simply clicks "ok"; they can’t tell a bad online decision from a good one because they either have insufficient information, or it’s represented in such a way that they cannot understand it, but they need to get stuff done, so onward they go.—Sandro

This doesn’t help when the namespace crosses legal boundaries. —Sandro

Trademark and fraud law have been dealing with cross-boundary issues for centuries. Mind you, there are still many imperfections—witness for example the century-old battle over "Budweiser" (see e.g. <cipr.org>—szabo

Right, and if there is a way to avoid these conflicts in the first place, I’d be all for that instead. —Sandro

It seems you are arguing for punishment rather than prevention. If preventing abuse is possible, punishment is not necessary. This avoids the whole sticky issue of crossing legal boundaries and requires far less investment of time and effort for all parties. All this talk of persecution for abuse is fine, but is often unnecessary since the computer world can simply do better than that. Exploring trust issues is a necessary step to developing usage patterns that help prevent the user from making himself more vulnerable than absolutely necessary.—Sandro

You’ve misunderstood—sorry I wasn’t cleareer. A preference for prevention is why I advocate secure property titles as a better solution to the phishing problem—they don’t depend on the legal system.

Nick Szabo—szabo

I’ll have a look at your linked papers when I get a chance (hopefully soon). —Sandro