Recently, the Shmoo Group discovered that Firefox is vulnerable to precisely the exploit that i predicted in my 2002 paper—Ping

Yes, that’s better, but still (I suspect) more dangerous than having users choose their own Petnames. See my response to Bill Frantz. But I think Ben Laurie has gotten at a much more serious problem. Suppose I ask my bank how much money they’d be willing to put behind their word when they introduce me to Paypal. I think they’re going to laugh at me.

Moreover, I think they may be right to laugh at me. They’re in the business of managing money, not in the business of introductions (that’s the Yellow Page’s business). Why would being good at the former imply that they are good at the latter? To put it another way, sure, I trust them to do the former, but why should I trust them to do the latter? I think we’ve got an example of a standard fallacy when reasoning about trust: "I trust X for purpose P" doesn’t imply "I trust X for purpose Q".—David

The example chosen was somewhat stylised. In practice, we don’t get the introductions we desire, unless we pay for them (and even then ....). Nobody owes us that trust, no matter how much we think it would solve our security problems if they did.—Ian

While I think of it, it is well worth the effort to look at the two graphics I snaffled in today’s blog entry:

<financialcryptography.com>—Ian

Right. In practice we get out introductions from a variety of sources, and we apply discretion and due diligence to them as they come in. No biggie. The main thing here is to identify the source of the introduction, it is not the agent’s job to do/measure trust, it is the user’s job to make a trust judgement.

In that sense, the use of the word trust outside of "Alice decides whether she and she alone trusts X" should be treated with suspicion. I’m glad this is starting to be understood:

<financialcryptography.com>—Ian

Perhaps if you ask the question that way, but I believe they will find themselves liable in court whether they want to or not. Banks (and other institutions) take such relationships very seriously—as they should.—Jed

I don’t agree. There are many situations where an institution like a bank needs relationships with other organizations to be effective at their business. Paypal might be an example for small monetary Internet transactions. A brokerage house might be another example, or perhaps a bill paying organization. If my bank points me to them I would take such as valued recommendations and I believe my bank would take them seriously as well—at least if they want to stay my bank.—Jed