Recently, the Shmoo Group discovered that Firefox is vulnerable to precisely the exploit that i predicted in my 2002 paper—Ping

I gave some examples in my next message on this topic. Perhaps you could address them. For example, I gave the example where someone I trust could say, "If you visit the site, view it’s SSL certificate and find that it’s MD5 Fingerprint is A9:04:4D:...:E2:31:9A then I can trust that it’s "Paypal" the organization that you can place some trust in."

Does that answer your question? If you are asking the deeper question of how one bootstraps trust relationships to begin with (e.g. consider communicating with extraterrestrials with whom we can have no physical contact) then we could go there, but I think we are getting pretty far afield from "Firefox breaks the principle of identifiability"—which I do believe Petnames solves.—Jed

I agree it solves the problem of confusable URLs. I can’t get very excited about that without a solution to the problem of how I realistically get hold of things to associate petnames with. Currently, if I want to go to Paypal’s site, I type it in—petnames don’t help me.—Ben

Great. —Tyler

So the fact that the WWW does not currently support safe hyperlinking doesn’t bother you? Your bank has a web site, but on the current WWW, it is not safe to follow a hyperlink to that web site. In my opinion, this is deeply broken. That petnames fix this problem is very important and exciting. Are you sure you disagree? Is the web part of the World Wide Web really not important to you?

I want to continue to delay the introduction discussion until we nail down the phishing part of the discussion, but I will get to it if you want to.—Tyler
 
 
 
 
 
 
 
 

What don’t you believe is practical? The communication of the trust relationship from one entity to another (e.g. from your existing bank to Paypal) or the binding of the communicated trust to a Petname? Or something else?

It seems to me that if I have an existing trust relationship and via known secure communication with that trusted entity I receive a message like: __________
 You can trust the entity at www.paypal.com with the certificate with MD5 Fingerprint:

A9:04:4D:C2:74:5E:05:D9:28:44:E0:8C:53:E2:31:9A

to be the "Paypal" service as I describe in this document. You may assign it the Petname "Paypal" and trust it as described herein. __________

The one thing I think might be missing is the binding of the Petname to the fingerprint. Binding it to an IP address or DNS name has known problems. If there was a binding to a fingerprint as above (I don’t know, there may be), would that suffice? Would you consider that ’practical’? If not, why not?—Jed
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Yuck! I’m a security geek, and even I couldn’t stand to use this kind of mechanism on a regular basis. Do we really expect others to be willing to put up with this? That’s straining credulity.

Let me step back a minute. I think there are two worldviews here.

The crypto-purist’s view: Public keys are the only names you can trust. The only way you can be introduced to Coca Cola is to have someone you trust absolutely give you Coca Cola’s public key. When you want to communicate with Coca Cola, you should always specify who you want to communicate with by telling the computer Coca Cola’s public key. As an optimization, you can tell the computer Coca Cola’s public key once, and establish a pet name, but that’s just an optimization. As another optimization, we can let the SHA1 fingerprint stand in as a substitute for Coca Cola’s public key, but that’s just another optimization. If you want to be introduced to Coca Cola through a non-electronic channel, the introducer has to tell you Coca Cola’s public key (or its fingerprint) and you have to type it into your computer. Names (i.e., public keys) should only be communicated over the computer. IP addresses and domain names are useful only for routing.

The realist’s view: In the real world, sometimes we learn names over non-digital channels. For instance, the name "Coca Cola" has a nearly universal binding. Having your computer insist that the name "Coca Cola" means nothing isn’t helpful. What is the owner of the Coca Cola brand supposed to do? Print their public key at the bottom of every TV ad they ever make, and hope that everyone who sees the ad will meticulously type in a 40-hex digit string? Hopeless. And the idea that people will tell their friends "I drink ee65f5a583fb7b26c753faf610586372409f2ec1" instead of "I drink Coke" seems something far short of plausible.

I have trouble believing that something as extreme as the crypto-purist’s worldview is ever going to be workable in the real world—at least, not as the complete answer. As much as the security geek in me cringes at the thought of advocating a global root of trust like Verisign, I think there is an argument that something short of the crypto-purist’s stance might be required, at least in many cases.—David

David Wagner wrote: a cogent plea for a reality check on the "crypto purist’s worldview"

but he omitted the transitive aspect of Pet Names. Suppose I see an ad on television for Acme brand shoes, and I want to go to the Acme web site to learn more. The "crypto purist’s worldview" as elucidated by Dave has it that Acme has to print their public key fingerprint at the bottom of the screen during their ad, and I have to type it into my computer to load their web site. However, the Pet Names worldview is better: I might have previously been securely introduced to the television station, so I can type into my computer: "teevee’s acme shoes".—Zooko

SDSI/SPKI-style names? That’s getting better. I’ll have to think about that one some more. I am not sure whether I’m convinced yet. (I’m not sure I’d want to have to type "KPIX’s Coca Cola"; for instance, I might not remember what TV station I saw. Also, this doesn’t fit the "I saw an ad on a billboard" model too well.) But it seems like it is getting closer.

Maybe part of the issue is that the crypto-purist view strikes me as blind to the possibility that maybe there are some things that branding and trademark do reasonably well.—David
 
 
 
 
 
 
 
 

By the way, as an optimization to writing down long strings of hex digits, Darius Bacon recently showed me this:

<tothink.com>

It looks good! Those 64-bit phrases seem to be quite as memorizable as a 7-digit phone number. How exciting! :-)—Zooko
 
 

I think your characterisation is useful for today, but I’m not so pessimistic about not "ever going to be workable." Consider p2p, and the spaces of similar places. In that world, everyone deals through an agent, and ever communication is technically layered, even if we spend most of our time trying to hide the technical layering.—Ian

This is very much the stance for E objects, of course, which can work effectively in a lot more contexts than they are currently being used :-) While not a complete world view, it sure would be nice to see how far we can drive with this model before surrendering :-)—marcs

I understand. This stance is great for reasoning about programs, because programs have well-defined semantics. My concern is with applying it to reasoning about protocols intended for use by humans. Humans don’t have a well-defined semantics. A defect we’re stuck with. :-)—David

I know of users that have been fooled by ’paypal.somename.cz’ (I forget what the "somename" really was.) And users fall every day for the "one url in the link, different one between the A tags) trick.

All the solutions given so far appear to assume the user is paying attention and reasonably bright. Nice assumption (possibly) for this group, but not in general.

It is a nice discussion, but baring smarter users, I think it is theoretical... Just my "its been a long day" two cents worth.—John
 
 
 
 
 
 
 
 
 
 

We agree that the crypto-purist worldview is incomplete. However, an entity like Verisign is neither necessary nor even really helpful. A name like Coke has meaning, not because it was blessed by Verisign, but rather because a majority of people mean the same thing when they say it. Algorithms like the Google algorithms (and the clever algorithms Rick Rashid’s folks have developed for Microsoft) are far better at establishing common views of terminology than anything like Verisign could ever hope to achieve. These algorithms are better because they follow the evolution of human meanings. Though such evolution would understandably give the crypto purist superb nightmares, humans are designed to deal with it effectively. Also, such algorithms give us human-like context relationships as well. I recently needed to find the list of references to the capability pattern we refer to as a powerbox. Typing "powerbox" into Google gives us a manufacturer of electrical components. But typing "capability secure powerbox" gives us what we would expect. In a world built human-style—which is similar enough to a world built google-style to be interesting—it is ok for a second company that specializes in payroll benefits to call itself paypal. Humans would distinguish by context.—marcs

That does sound like a promising angle. It involves the human in determining which answers "look plausible". It can still be fooled, I’m sure (witness the trade in "search engine optimization"), but if we accept that we are looking for something that mostly works as opposed to perfection, this sounds promising.

But, just to inject one note of caution into my enthusiasm: There is a difference between an approach that involves always asking Google and trusting them to perform these computations correctly (this comes awfully close to being equivalent to Verisign, just with a different name), as opposed to everyone performing those algorithms for themselves. The latter is clearly better from a security point of view. It will be interesting to see whether it is tractable, though.—David