Recently, the Shmoo Group discovered that Firefox is vulnerable to precisely the exploit that i predicted in my 2002 paper—Ping

I’m new to all this, so maybe I’m thinking about things the wrong way, but my first impression is that your conclusion above looks like a bit of a leap. It looks to me like it is succumbing to two fallacies about reasoning about trust: 1) "transitive trust"; 2) the difference between "I trust X" vs "I trust X for purpose P".

You assumed that if Alice trusts Goggle as a useful general-purpose search engine and if I trust Alice to introduce me to useful general-purpose search engines, then Goggle can be trusted to introduce me to trustworthy payment systems. But that is questionable. With longer and longer chains, it becomes more and more questionable.

Also, you assumed that if Alice introduces me to Goggle as a useful general-purpose search engine, then she would also be willing to claim that the first search result for the search query "Paypal" is trustworthy for purposes of handling your money. But maybe Alice only intended to assert that Goggle is adequate for the former purpose but not for the latter.

I’m not convinced it is as easy as all this. This strikes me as a problem that might be unavoidably hard. What seems to make it hard is that it involves humans. We’re trying to solve a people problem with an (admittedly elegant) mathematical technique. That strategy worries me, because technical "solutions" to social problems often don’t work nearly as well as one might wish. The human is embedded in the protocol, and we’re trying to prevent social engineering attacks on the human, which means that we have to anticipate all the ways that humans might be fooled into coming to the wrong conclusions—but humans behave in surprising ways, and their behavior isn’t easily formalized in a mathematical framework.

To put it another way, maybe this isn’t one of those problems with a perfect and elegant principled solution. It might be an engineering problem where no single clean solution suffices, and where workable solutions tend to look messy. I don’t have any proof of that, just a fear that it might be the case. But we shouldn’t let my fears stop us from looking hard for good solutions to this problem, so please don’t let these remarks get in the way of the continuing the discussion.—David

I believe all we’re trying to do and in fact all we can do is to enhance the safety of communication like:

"<I> (who you have some trust in) assert <this> about this other <entity>"

If by technical means we can enhance the safety of the knowledge of <I> and <entity> and the communication about any such assertion, <this>, then I believe we’ve enhanced human communication—whatever else one might say about the foibles of such communication. This seems to me a worthy cause—made somewhat more tractable in the digital realm.—Jed