2023-05-10 21:12:25 -04:00
|
|
|
|
---
|
|
|
|
|
title: An Introduction to Petname Systems
|
|
|
|
|
# notmine
|
2023-10-26 03:12:35 -04:00
|
|
|
|
sidebar: true
|
|
|
|
|
...
|
2023-05-10 21:12:25 -04:00
|
|
|
|
|
|
|
|
|
::: {style="text-align: center;"}
|
|
|
|
|
by
|
|
|
|
|
Marc Stiegler, Feb 2005, copyright under the MIT X License\
|
|
|
|
|
updated June 2010\
|
|
|
|
|
:::
|
|
|
|
|
|
|
|
|
|
# Abstract
|
|
|
|
|
|
|
|
|
|
Zooko's Triangle \[Zooko\] argues
|
|
|
|
|
that names cannot be global, secure, and memorable, all at the same
|
|
|
|
|
time. Domain names are an example: they are global, and memorable, but
|
|
|
|
|
as the rapid rise of phishing demonstrates, they are not secure.
|
|
|
|
|
|
|
|
|
|
Though no single name can have
|
|
|
|
|
all three properties, the *petname*
|
|
|
|
|
*system*
|
|
|
|
|
does indeed embody all three properties. Informal
|
|
|
|
|
experiments with petname-like systems suggest that petnames can be both
|
|
|
|
|
intuitive and effective. Experimental implementations already exist for
|
|
|
|
|
simple
|
|
|
|
|
extensions to existing browsers that could alleviate (possibly
|
|
|
|
|
dramatically) the problems with phishing. As phishers gain
|
|
|
|
|
sophistication, it seems compelling to experiment with petname systems
|
|
|
|
|
as part of the solution.
|
|
|
|
|
|
|
|
|
|
# Basic Petname Layout
|
|
|
|
|
|
|
|
|
|
Below, we have Zooko's Triangle
|
|
|
|
|
overlaid with a petname system:
|
|
|
|
|
|
|
|
|
|
![](./zooko-triangle.gif)
|
|
|
|
|
|
|
|
|
|
For the purposes of this document, we actually use an
|
|
|
|
|
alternate rendering of the key points of Zooko's Triangle. The
|
|
|
|
|
points
|
|
|
|
|
of the triangle are:
|
|
|
|
|
|
|
|
|
|
- Memorable: this means
|
|
|
|
|
that a human being has a chance of
|
|
|
|
|
remembering the name. Memorable names pass the "moving bus test": if
|
|
|
|
|
you see the name on the side of a bus as it drives past you, you should
|
|
|
|
|
be able to remember the name long enough to use it when you get home.
|
|
|
|
|
- Global: this means the name
|
|
|
|
|
is publicly available, and indeed the entity to whom the name is
|
|
|
|
|
attached is eager to give it to you. A key goal of marketing and
|
|
|
|
|
advertising is to capture memorable names in such a fashion that the
|
|
|
|
|
memorable name is globally locked to a particular entity.
|
|
|
|
|
- Securely Unique: This is
|
|
|
|
|
means that the name cannot be *forged*
|
|
|
|
|
or *mimicked*.
|
|
|
|
|
A name can be forged
|
|
|
|
|
if one can
|
|
|
|
|
manufacture an exact duplicate of the name such that neither man nor
|
|
|
|
|
machine can tell the difference. A name can be mimicked
|
|
|
|
|
if
|
|
|
|
|
one can make a name similar enough to fool the human being. In general,
|
|
|
|
|
phishing depends on mimicry, not forgery. This difference becomes
|
|
|
|
|
crucial later in the discussion.
|
|
|
|
|
|
|
|
|
|
Each name set consists of three
|
|
|
|
|
elements: a *key*
|
|
|
|
|
that is global and securely unique (but not necessarily memorable); a *nickname*
|
|
|
|
|
that is global and memorable (but not at all unique) , and a *petname*
|
|
|
|
|
that is securely unique and memorable (but private, not global):
|
|
|
|
|
|
|
|
|
|
- **Keys** lie at the heart of the security properties
|
|
|
|
|
of the petname system. Nicknames and petnames exist to make it easy for
|
|
|
|
|
human beings to manipulate keys. The security of the
|
|
|
|
|
system can be no stronger than the unforgeability of the keys.
|
|
|
|
|
Self-authenticating public/private key pairs make excellent keys since
|
|
|
|
|
they have strong
|
|
|
|
|
unforgeability properties. But there are other ways of achieving
|
|
|
|
|
unforgeability. A trusted path can also work well as the key: the full
|
|
|
|
|
pathname to a file on a specific computer is
|
|
|
|
|
also unforgeable (or at least, as unforgeable as the designation of the
|
|
|
|
|
specific computer, which can be quite strong in some cases). It does
|
|
|
|
|
not make any difference in a petname system whether a key can be
|
|
|
|
|
mimicked: keys are handled only by the computer, the human being
|
|
|
|
|
handles the keys only indirectly via petnames. For a particular person,
|
|
|
|
|
for a particular application, there is a
|
|
|
|
|
one-to-one mapping between a key and a petname.
|
2024-06-15 22:28:08 -04:00
|
|
|
|
|
2023-05-10 21:12:25 -04:00
|
|
|
|
- **Nicknames**
|
|
|
|
|
can be used to assist in discovery of
|
|
|
|
|
keys, and for help in selecting a petname. Nicknames are chosen by the
|
|
|
|
|
owners of keys in hopes of creating a distinctive, if not
|
|
|
|
|
unique,
|
|
|
|
|
mapping from the memorable nickname to the key. Such nicknames often
|
|
|
|
|
are promulgated throughout the world in
|
|
|
|
|
the hopes of making the nickname stick in the mind as a reference to
|
|
|
|
|
the
|
|
|
|
|
key. Since there are strong incentives to "take ownership" of a
|
|
|
|
|
nickname, even though true ownership is not possible, nicknames are the
|
|
|
|
|
most often misunderstood part of a petname system.
|
|
|
|
|
|
|
|
|
|
In the simple case, a nickname has a one-to-many mapping to
|
|
|
|
|
keys The name John Smith is obviously a
|
|
|
|
|
nickname: there are many John Smiths.Other nicknames
|
|
|
|
|
produce the illusion of being globally unique: the name Marc Stiegler
|
|
|
|
|
appears to be globally unique at the time of this writing. But there is
|
|
|
|
|
no security property in this accident of global uniqueness. The
|
|
|
|
|
uniqueness of the name Marc Stiegler would change quite quickly if,
|
|
|
|
|
through the
|
|
|
|
|
mysterious forces of human whimsy, the name suddenly became desirable.
|
|
|
|
|
Sometimes the desirability of a nickname is not whimsical, but venal.
|
|
|
|
|
It is already desirable for some applications to call
|
|
|
|
|
themselves
|
|
|
|
|
Quicken, for example, and draw windows that request a Quicken password.
|
|
|
|
|
|
|
|
|
|
- **Petnames**
|
|
|
|
|
are our private bidirectional
|
|
|
|
|
references to keys.
|
|
|
|
|
There are many Mark Millers, but there is one specific Mark Miller that
|
|
|
|
|
the
|
|
|
|
|
name means to me, the Mark Miller who
|
|
|
|
|
works with object-capabilities for secure cooperation. "Mark Miller" is
|
|
|
|
|
Mark Miller's nickname; it also
|
|
|
|
|
happens to be my petname for the same individual. My private pet name
|
|
|
|
|
for my wife is not recognizably similar to the public nickname used by
|
|
|
|
|
my wife. In the computer setting, for a specific person with a specific
|
|
|
|
|
application, petnames are unique, each petname refers to exactly one
|
|
|
|
|
key, and each key is represented by exactly one petname. In all places
|
|
|
|
|
in
|
|
|
|
|
the application where the app wants to designate the key, the petname
|
|
|
|
|
is displayed -- which is to say, *a
|
|
|
|
|
true petname is a bidirectional one-to-one mapping to a key*.
|
|
|
|
|
All references to the key by the user interface are represented by
|
|
|
|
|
petname.
|
|
|
|
|
A key cannot have two petnames; if a single key had two petnames, under
|
|
|
|
|
what circumstances would the user interface use petname1 as the
|
|
|
|
|
representation of the key, and under what circumstances would it bring
|
|
|
|
|
up petname2?
|
|
|
|
|
|
2024-06-15 22:28:08 -04:00
|
|
|
|
## More Detail, and Interactions
|
2023-05-10 21:12:25 -04:00
|
|
|
|
|
|
|
|
|
A good example of a nickname management system is Google. Type
|
|
|
|
|
in a name, and Google will return a list that includes all the entities
|
|
|
|
|
Google knows, to which the name refers. Google
|
|
|
|
|
makes a mapping between these nicknames and their keys (if we think
|
|
|
|
|
of the url of a page as a trusted-path-style key, which will be
|
|
|
|
|
discussed later). Often
|
|
|
|
|
enough to be interesting, the first item in the list will be the one
|
|
|
|
|
you wanted. But it fails often enough, and endless pages of other
|
|
|
|
|
choices appear often enough, to never leave us in doubt that these
|
|
|
|
|
identifiers
|
|
|
|
|
are not unique mappings to single keys. As is already true in the
|
|
|
|
|
current world, in a world filled with petname
|
|
|
|
|
systems, a key goal of marketing would be to get your nickname listed
|
|
|
|
|
at the top of the Google rankings for that nickname.
|
|
|
|
|
|
|
|
|
|
A single key may map to multiple nicknames. The entity that comes up
|
|
|
|
|
first in a Google search for "Marc Stiegler" is an entity who proposes
|
|
|
|
|
the
|
|
|
|
|
nickname "marcs" for himself in many forums. However, to assess the
|
|
|
|
|
security
|
|
|
|
|
properties of a petname system, this is irrelevant.
|
|
|
|
|
|
|
|
|
|
Nicknames are conveniences that may serve as good starting points
|
|
|
|
|
for petnames. If I send
|
|
|
|
|
you my key and my nickname, often my nickname (which I normally will
|
|
|
|
|
have chosen to
|
|
|
|
|
be reasonably rare in the world) will work great as your petname. But
|
|
|
|
|
do not confuse the nickname-as-proposal with the
|
|
|
|
|
petname-as-decided. Never in a true petname system is
|
|
|
|
|
the nickname presented or employed as if it were a petname.
|
|
|
|
|
|
|
|
|
|
*Alleged names*
|
|
|
|
|
are similar enough to nicknames to be worth
|
|
|
|
|
distinguishing. An alleged name is the name for an entity proposed by a
|
|
|
|
|
third party, typically in an introduction. This can also be useful as a
|
|
|
|
|
starting place for picking a petname. Alleged names, like nicknames,
|
|
|
|
|
are usually memorable, often global, and never securely unique. Alleged
|
|
|
|
|
names are often based on nicknames, though this is unreliable enough,
|
|
|
|
|
if one really cares about the nickname then one really needs to ask the
|
|
|
|
|
entity holding the key, not the introducer.
|
|
|
|
|
|
|
|
|
|
In action, keys and alleged names
|
|
|
|
|
tend to be transferred together. We
|
|
|
|
|
refer henceforth to such key/alleged-name pairs as *referrals.*
|
|
|
|
|
|
|
|
|
|
It is crucial not to confuse
|
|
|
|
|
private petnames with global nicknames
|
|
|
|
|
that temporarily happen to have a unique mapping to a key.
|
|
|
|
|
Experience to date suggests that the word "petname" is attractive,
|
|
|
|
|
leading people to desire to use it. People can thence easily fall into
|
|
|
|
|
the trap of referring to momentarily
|
|
|
|
|
unique nicknames as "petnames". This error then leads them inevitably
|
|
|
|
|
to draw fatally confused conclusions about the possibility of petnames
|
|
|
|
|
with global meaning. The security properties of a petname come from its
|
|
|
|
|
privacy. Public nicknames are trivially vulnerable to
|
|
|
|
|
both forgery and mimicry; they have no security properties.
|
|
|
|
|
|
|
|
|
|
Petnames are guessable. Most people will accept Paypal's nickname as
|
|
|
|
|
the petname. This can only impact the security of the
|
|
|
|
|
system if the user interface
|
|
|
|
|
distinguishes the petnames from the nicknames so poorly that the user gets confused.
|
|
|
|
|
|
|
|
|
|
The term "petname" suggests that this name is embodied as text. This
|
|
|
|
|
is
|
|
|
|
|
not necessary; petnames can be graphical as well. Indeed, some of the
|
|
|
|
|
petname systems listed later use petnames that include both *pet
|
|
|
|
|
texts* and *pet graphics.*
|
|
|
|
|
|
|
|
|
|
Petnames must be repeatably editable by the human being so that the set
|
|
|
|
|
of petnames can evolve as the user's set of associations
|
|
|
|
|
grow.
|
|
|
|
|
You might use the petname "Mark Miller" for the one and only Mark
|
|
|
|
|
Miller that you know. But then if you meet another Mark Miller you will
|
|
|
|
|
have to distinguish, possibly by editing the first one: the single
|
|
|
|
|
entry "Mark Miller" may now split into "Mark Miller Capability Guru"
|
|
|
|
|
and "Mark Miller Dentist".
|
|
|
|
|
|
|
|
|
|
Petnames convey power: since the petname is the user representation
|
|
|
|
|
of the key, it is through the petname that the human
|
|
|
|
|
being
|
|
|
|
|
uses the key, communicates with the key owner, and conveys authority to
|
|
|
|
|
the key owner based on the user's *purposeful
|
|
|
|
|
trust*
|
|
|
|
|
relationship with that owner (*purposeful
|
|
|
|
|
trust* is the type of
|
|
|
|
|
trust
|
|
|
|
|
needed to engage in action: I trust (i.e., I am willing to be
|
|
|
|
|
vulnerable to) Entity X to hold N number of
|
|
|
|
|
dollars on my behalf, and to engage in transfers of that money based on
|
|
|
|
|
orders I give).
|
|
|
|
|
|
|
|
|
|
Another way of thinking about the relationship between a key and a
|
|
|
|
|
petname is this. The key is used to authenticate the entity that owns
|
|
|
|
|
the key. The petname is used as a handle upon which to hang the
|
|
|
|
|
trust/reliance/vulnerability data used by the human being to make
|
|
|
|
|
authorization decisions for that entity. If the entity represented by
|
|
|
|
|
the petname My Phone Company asks for my credit card, if the
|
|
|
|
|
justification sounds reasonable, I will release it. If the entity
|
|
|
|
|
represented by the petname Deadbeat Brother (whom I nonetheless trust
|
|
|
|
|
to teach my daughter soccer in the afternoon without supervision -- the
|
|
|
|
|
trust relationship with such a brother is neither positive nor
|
|
|
|
|
negative, it is complex) asks for my credit card, I will not release it
|
|
|
|
|
no matter what the justification.*\
|
|
|
|
|
*
|
|
|
|
|
|
|
|
|
|
*The security
|
|
|
|
|
of a petname system depends on the
|
|
|
|
|
keys to
|
|
|
|
|
prevent forgery, and on the petnames to prevent mimicry.*
|
|
|
|
|
|
|
|
|
|
# Petnames In Action
|
|
|
|
|
|
|
|
|
|
Informal
|
|
|
|
|
experimentation suggests that a petname system is
|
|
|
|
|
much easier to use than to explain (see examples below). We will create
|
|
|
|
|
a single example for this introduction, and give some hint as to the
|
|
|
|
|
wide diversity of variations in the Examples. Suppose I send you Mark
|
|
|
|
|
Miller's OpenPGP pubkey in email. I say, "here is mark miller's
|
|
|
|
|
pubkey."
|
|
|
|
|
I sent you both a key and an alleged
|
|
|
|
|
name
|
|
|
|
|
(mark miller). Implicit in the transmission of the alleged name is the
|
|
|
|
|
proposal that you might want to consider "mark miller" as the petname.
|
|
|
|
|
What you actually choose as a petname depends entirely on your context.
|
|
|
|
|
If you know this particular mark miller in other contexts in other
|
|
|
|
|
applications as "markm", you may choose "markm" as the name referring
|
|
|
|
|
to this key in your list of pubkeys. If you think this might be
|
|
|
|
|
the same mark miller, but are not willing to be vulnerable to me as the
|
|
|
|
|
sole source of such
|
|
|
|
|
powerful mapping, you might use the petname "Marc Stiegler's Mark
|
|
|
|
|
Miller" or "Mark Stiegler's markm". If you perform appropriate
|
|
|
|
|
incantations on the pubkey, you can get the entity's nickname. If this
|
|
|
|
|
pubkey already exists
|
|
|
|
|
in your list, your software shouldn't give you the choice of adding it:
|
|
|
|
|
the software should tell you that you already have this one, and tell
|
|
|
|
|
you the current petname (and perhaps bring up the petname editor so you
|
|
|
|
|
can change the petname if the newly-received reference suggests a
|
|
|
|
|
better name). If you receive a message signed with the private key for
|
|
|
|
|
the markm petname's pubkey, the software should display the
|
|
|
|
|
petname markm. If you send a
|
|
|
|
|
message to mark miller, you should pick the
|
|
|
|
|
encryption key based on the petname.
|
|
|
|
|
|
|
|
|
|
The above example has the
|
|
|
|
|
security properties of a petname system, but OpenPGP systems often do
|
|
|
|
|
not demonstrate the usability properties a petname system
|
|
|
|
|
needs.
|
|
|
|
|
Instant messaging systems with buddy lists demonstrate the usability
|
|
|
|
|
properties, but for reasons beyond the understanding of this author,
|
|
|
|
|
discard all the security properties. See the examples section for more
|
|
|
|
|
details on buddy lists as petname systems.\
|
|
|
|
|
|
|
|
|
|
# Key Issues with Petname Systems
|
|
|
|
|
|
|
|
|
|
Two elements of full-fledged
|
|
|
|
|
petname systems seem to be principle
|
|
|
|
|
sources of controversy. One is, how do I get the keys transferred
|
|
|
|
|
around the system? The other is, "how easily can Darth Vader mimic a
|
|
|
|
|
petname?".
|
|
|
|
|
|
2024-06-15 22:28:08 -04:00
|
|
|
|
## Transferring Keys and Purposeful Trust
|
2023-05-10 21:12:25 -04:00
|
|
|
|
|
|
|
|
|
Transferring keys around the universe is easy; for example, plaster the
|
|
|
|
|
keys on all the web sites in the world that'll let you do so. The hard
|
|
|
|
|
part is transferring a key with an association to purposeful trust. It
|
|
|
|
|
is useless to both PayPal and the phisher who wants your Paypal account
|
|
|
|
|
if you just know Paypal's key; you have to be willing to make yourself
|
|
|
|
|
vulnerable to the entity who
|
|
|
|
|
owns the key to hold your credit card, trusting him to engage in only
|
|
|
|
|
transfers that you specify.
|
|
|
|
|
|
|
|
|
|
The question, "how do I
|
|
|
|
|
transfer a purposeful
|
|
|
|
|
trust association?", is hard to
|
|
|
|
|
answer because there is no simple single answer. Instead, there are a
|
|
|
|
|
vast array of
|
|
|
|
|
answers, each of which works in narrow circumstances. The question
|
|
|
|
|
is made
|
|
|
|
|
even more difficult to answer because the mechanisms by which humans
|
|
|
|
|
determine an appropriate purposeful trust to be associated with an
|
|
|
|
|
entity
|
|
|
|
|
is subtle, complex, powerful, and completely subconscious: the
|
|
|
|
|
question of how you transfer the association can easily slide into a
|
|
|
|
|
hopeless discussion of how to create purposeful trust in the first
|
|
|
|
|
place. Here we outline some general ideas for transferring
|
|
|
|
|
key/purposeful-trust
|
|
|
|
|
mappings, then in the
|
|
|
|
|
Examples
|
|
|
|
|
point out some practical approaches in specific narrow contexts.
|
|
|
|
|
|
|
|
|
|
Answers often start with direct
|
|
|
|
|
physical contact. You get a combination of
|
|
|
|
|
a nickname and a key in a file from your best friend, who says, "this
|
|
|
|
|
Google thing is a great search engine", or "this Consumer Reports site
|
|
|
|
|
will not lead you astray". You stick these referrals in your browser,
|
|
|
|
|
assign petnames,
|
|
|
|
|
and make yourself vulnerable to them for the purposes stated because
|
|
|
|
|
your friend said so.
|
|
|
|
|
Then when the side of the bus says PayPal, you might go and see what
|
|
|
|
|
Google thinks Paypal means. Since a relationship with PayPal is a
|
|
|
|
|
serious vulnerability decision, serious enough so that we're not going
|
|
|
|
|
to jump
|
|
|
|
|
at the first site just because Google said so, we'll ask a few of our
|
|
|
|
|
friends to email referrals to the entities they use for online money.
|
|
|
|
|
If the referrals they send all share the same key as the Google
|
|
|
|
|
key (which is easy to tell, because trying to add each new key/petname
|
|
|
|
|
mapping will
|
|
|
|
|
produce the alert that the key matches something you've already got),
|
|
|
|
|
the
|
|
|
|
|
quality of your willingness to be vulnerable to the key you have
|
|
|
|
|
petnamed PayPal improves.
|
|
|
|
|
This is pretty similar to how
|
|
|
|
|
we all started using PayPal even without the petname system: we jumped
|
|
|
|
|
in when enough of our friends and organizations that we trust for
|
|
|
|
|
recommendations about financial matters concurred. The only difference
|
|
|
|
|
in the petname version of the story is that our friends explicitly gave
|
|
|
|
|
us referrals rather than easily mimicked domain names, and we
|
|
|
|
|
explicitly set a petname (perhaps by just clicking an Accept key when
|
|
|
|
|
the alleged name was proposed as the petname).
|
|
|
|
|
|
|
|
|
|
While a full-fledged, purebred
|
|
|
|
|
petname system could in principle
|
|
|
|
|
supplant the entire DNS system, we have DNS now, and we can use it to
|
|
|
|
|
do some bootstrapping. My ability to type google.com and
|
|
|
|
|
paypal.com is probably adequate to get started.
|
|
|
|
|
|
|
|
|
|
Regardless of how you
|
|
|
|
|
bootstrap, you
|
|
|
|
|
can get referrals by email, thumbdrive, web page, chat, and even by
|
|
|
|
|
telephone.
|
|
|
|
|
|
|
|
|
|
## Converting From Nickname to Petname
|
|
|
|
|
|
|
|
|
|
The other part of the system
|
|
|
|
|
that is impossible to quantify is the
|
|
|
|
|
mimicability of pet names. Let us assume a poorly built petname system
|
|
|
|
|
in the clutches of a clueless user. We have a money transfer site
|
|
|
|
|
on the Web that we have petnamed PayPal. We get an email telling us to
|
|
|
|
|
update our PayPal account, we click the link, and go to a domain that
|
|
|
|
|
has given itself the nickname PayPa1 (for those of you with typically
|
|
|
|
|
broken fonts, that last character, "1", is a one). Our poorly
|
|
|
|
|
built hypothetical petname system
|
|
|
|
|
is so poorly
|
|
|
|
|
built, the nickname is put into the field where the petnames go, with a
|
|
|
|
|
hint of shading or some other easy-to-miss mod to mark the
|
|
|
|
|
fact that
|
|
|
|
|
this is the web site's nickname for
|
|
|
|
|
itself, not our petname for it. The distinction is missed,
|
|
|
|
|
and
|
|
|
|
|
our
|
|
|
|
|
user is phished.
|
|
|
|
|
|
|
|
|
|
The solutions to this problem
|
|
|
|
|
are
|
|
|
|
|
application and context specific,
|
|
|
|
|
though there are some good ideas floating around that seem to have wide
|
|
|
|
|
applicability. In the Waterken Petname Toolbar proposal (see below),
|
|
|
|
|
the alleged name is always "untrusted". It's hard to fail to
|
|
|
|
|
recognize
|
|
|
|
|
that
|
|
|
|
|
this isn't PayPal, though a sufficiently unobservant user might
|
|
|
|
|
completely disregard the petname and nickname information and get
|
|
|
|
|
phished anyway. There is limited informal evidence that users really do
|
|
|
|
|
notice things like this (see below), and so the most cynical of
|
|
|
|
|
skeptics are probably mostly wrong though they are probably slightly
|
|
|
|
|
right: if you send a million phishing emails to each of a million
|
|
|
|
|
users, some day some one will be tired and unobservant and will get
|
|
|
|
|
phished. If sending a trillion emails like this is cheap enough,
|
|
|
|
|
phishing will remain profitable, so part of the solution needs to be
|
|
|
|
|
making a trillion emails ever so slightly expensive. Regardless,
|
|
|
|
|
multiple experiments with multiple
|
|
|
|
|
user interfaces would be a good idea to help develop user interfaces
|
|
|
|
|
that maximize the probability that a tired unobservant user will notice
|
|
|
|
|
a warning.
|
|
|
|
|
|
|
|
|
|
There are a couple of user
|
|
|
|
|
interface issues. The petnames must be unambiguously distinct from
|
|
|
|
|
nicknames. This seems easy to do, through colors, fonts, additional
|
|
|
|
|
text, and separate fields for the nickname as examples of pieces of
|
|
|
|
|
strategy.
|
|
|
|
|
|
|
|
|
|
More difficult is the following
|
|
|
|
|
problem: Petname creation must be
|
|
|
|
|
both painless (or people will reject the whole idea) and reliably
|
|
|
|
|
mimicry-free (it would be a disaster to have both PayPal and PayPa1 as
|
|
|
|
|
petnames!). Is this one of those hopeless tradeoffs that the
|
|
|
|
|
computer security community enjoys throwing in its own face? To the
|
|
|
|
|
author, this
|
|
|
|
|
problem looks solvable; indeed, it seems hard to believe that this
|
|
|
|
|
cannot be solved with some reasonable satisfaction, given the number of
|
|
|
|
|
user interface ideas for this problem floating around. But
|
|
|
|
|
implementations and experiments, will be required to identify minimally
|
|
|
|
|
intrusive, adequately effective solutions.
|
|
|
|
|
|
|
|
|
|
Here are two example ideas
|
|
|
|
|
for petname creation user interface
|
|
|
|
|
that seem generally applicable. First is to compose the default choice
|
|
|
|
|
for the petname out of a combination of contextual information and
|
|
|
|
|
nickname information. Suppose we click on a link to "PayPal" in the
|
|
|
|
|
Consumer Reports site (that is, the site that we have assigned the
|
|
|
|
|
nickname, "Consumer Reports"). This takes us to a new site that
|
|
|
|
|
proposes the nickname "PayPal". The system clearly marks that we do not
|
|
|
|
|
have a petname for this site and proposes "Consumer Reports's PayPal".
|
|
|
|
|
The user can press a button to accept this name, edit it, or, with
|
|
|
|
|
algorithmic chicanery left as an exercise for the reader, press a
|
|
|
|
|
second button that says, "let me use the raw nickname PayPal as the
|
|
|
|
|
petname." This system still depends on the user remembering the
|
|
|
|
|
petnames he has already assigned and noticing at the time of creation
|
|
|
|
|
of the new petname, whether he already has a similar name in his list.
|
|
|
|
|
This by itself is probably enough to protect the PayPal pet name --
|
|
|
|
|
most of us who gave PayPal a petname would have no trouble remembering
|
|
|
|
|
we had done so, and if we saw something that looked like "PayPal", we'd
|
|
|
|
|
notice we were at risk of confusing ourselves if we accepted a similar
|
|
|
|
|
name -- but again, we are dealing with humans, so the process is
|
|
|
|
|
imperfect. To support the human being, we'd want to use a font that was
|
|
|
|
|
as ambiguous as possible during petname creation, mixing up 1 and l and
|
|
|
|
|
I in a hopeless mess,
|
|
|
|
|
so that we could be confident that our petnames looked unique no
|
|
|
|
|
matter what ridiculous font got used later.
|
|
|
|
|
|
|
|
|
|
The second idea is to have a weak algorithm for comparing a candidate
|
|
|
|
|
petname in the act of being accepted to the existing petnames. We
|
|
|
|
|
explicitly call this a *weak*
|
|
|
|
|
algorithm because it can be
|
|
|
|
|
pretty poor. It is quite
|
|
|
|
|
acceptable for the algorithm to pop a list of "similar petnames" that
|
|
|
|
|
is overly extensive, i.e., it is fine to show names that the human
|
|
|
|
|
easily recognizes as distinct. The serious error is to fail to show
|
|
|
|
|
names that
|
|
|
|
|
the human might confuse. Comparing Paypal to Paypa1, a sample algorithm
|
|
|
|
|
might notice that the names are of similar length and have three
|
|
|
|
|
letters in common ("p", "a", and "y"), and say, "that's similar enough
|
|
|
|
|
to worry me, I'm gonna check with the boss." The algorithm for noticing
|
|
|
|
|
similarity between private petnames is under much less pressure to be
|
|
|
|
|
perfect than is the algorithm for a Certificate Authority when deciding
|
|
|
|
|
whether
|
|
|
|
|
to award the name "pawpal" when the name "paypal" already exists. A CA
|
|
|
|
|
might like to prevent mimicry, but to do so must tread a
|
|
|
|
|
difficult line with abolishing huge swaths of namespace to ensure
|
|
|
|
|
similarities don't arise.
|
|
|
|
|
|
|
|
|
|
However it is done, mixing alphabets from different languages into a
|
|
|
|
|
single petname list is ridiculous. These are private petnames. Only one
|
|
|
|
|
person in the whole world needs to read them. Use the user's default
|
|
|
|
|
character
|
|
|
|
|
set, and be done.
|
|
|
|
|
|
|
|
|
|
# Examples, Near Examples, and Comparisons
|
|
|
|
|
|
|
|
|
|
## Physical World Petnames
|
|
|
|
|
|
|
|
|
|
Humans have been using parts of
|
|
|
|
|
petname systems since before the
|
|
|
|
|
invention of the written word. Human faces
|
|
|
|
|
were used as keys. These keys resisted forgery far better than most
|
|
|
|
|
things that pass for security today on computers (except in episodes
|
|
|
|
|
of Mission Impossible, and the occasional Shakespearian comedy like
|
|
|
|
|
12th Night). The referral, "Joe, this is my son Billy,
|
|
|
|
|
he's great with a club," transferred both a key/alleged-name pair and a
|
|
|
|
|
first-order
|
|
|
|
|
purposeful trust recommendation. The recipient of this referral
|
|
|
|
|
typically accepts the alleged name as a petname, though in some cases
|
|
|
|
|
the recipient may instead choose other petnames, such as, "Bob's big
|
|
|
|
|
dumb dufus of a son", which is a strictly private petname.
|
|
|
|
|
|
|
|
|
|
These physical world petname
|
|
|
|
|
systems were sufficiently different
|
|
|
|
|
from computer-based petname systems that it is dangerous to draw too
|
|
|
|
|
many conclusions from them. But the similarities are sufficiently
|
|
|
|
|
intriguing that the author feels compelled to mention them. More
|
|
|
|
|
comprehensive comparison and contrasting of physical petnaming to
|
|
|
|
|
computer-based petnaming is left as an entertainment for the reader.
|
|
|
|
|
|
|
|
|
|
## Trademark Law
|
|
|
|
|
|
|
|
|
|
Trademark law is not a petname
|
|
|
|
|
system. When civilization started
|
|
|
|
|
creating entities that did not have unforgeable faces (like Apple
|
|
|
|
|
Computer), we settled on a legal system that attempted, with fair
|
|
|
|
|
success, to enforce (that is, secure) purpose-unique memorable
|
|
|
|
|
global IDs for small numbers of entities. It is hard to map trademarks
|
|
|
|
|
onto petname systems for comparison, but an attempt seems in order. The
|
|
|
|
|
trademark-purpose pair is the key, made unforgeable by government
|
|
|
|
|
coercion. It
|
|
|
|
|
is important to note that the trademark itself is not the key: Apple
|
|
|
|
|
Computer and Apple Music both used the trademark Apple for decades,
|
|
|
|
|
without conflict, until Apple Computer entered the music business.
|
|
|
|
|
|
|
|
|
|
The trademark by itself is the
|
|
|
|
|
nickname: Apple Computer thinks of itself as "Apple". Petnames are
|
|
|
|
|
absent. Mimicry is prevented by the same
|
|
|
|
|
government action as forgery, and indeed the trademark system makes no
|
|
|
|
|
distinction between forgery and mimicry (which helps explain why the
|
|
|
|
|
distinction is so blurred in most computer security discussions).
|
|
|
|
|
|
|
|
|
|
Trademark law depends on the
|
|
|
|
|
legal system to disambiguate "similar
|
|
|
|
|
purpose". This is expensive, and consequently trademark law can only
|
|
|
|
|
apply to "small" numbers of "big" entities. The name Mark Miller is
|
|
|
|
|
covered by trademark law, but only in explicitly recognizing that all
|
|
|
|
|
people who have that name may use it, i.e., trademark law recognizes
|
|
|
|
|
non-uniqueness in this case. On the Web, the number of entities with
|
|
|
|
|
whom we
|
|
|
|
|
would like to associate trust/vulnerability relationships is extremely
|
|
|
|
|
large; indeed,
|
|
|
|
|
one of the failures of the Web today is that we cannot construct as
|
|
|
|
|
many such associations as we would like. Those relationships span
|
|
|
|
|
multiple legal jurisdictions, further complicating the trademark
|
|
|
|
|
system. Trademarking simply does not scale well enough for the age of the Web, despite its success in earlier eras.
|
|
|
|
|
|
|
|
|
|
## Instant Messaging Buddy Lists
|
|
|
|
|
|
|
|
|
|
Buddy lists for instant messengers follow the logic of petname systems
|
|
|
|
|
quite closely, though all the security properties are discarded in current
|
|
|
|
|
implementations. Each entity gets a globally unique id, rooted in the
|
|
|
|
|
domain name of the messaging service, which fills the role of "key". A
|
|
|
|
|
weak effort is made to make the id both human memorable on the one
|
|
|
|
|
hand, and unforgeable, on the other. The id is used as a nickname;
|
|
|
|
|
being sometimes memorable, it works well enough often enough. The same
|
|
|
|
|
id is used as
|
|
|
|
|
a key even though it is easy
|
|
|
|
|
to forge (either through man in the middle attacks or password
|
|
|
|
|
attacks).
|
|
|
|
|
The important point is that, once the user puts a petname into the
|
|
|
|
|
buddy list, all references to the id are represented using the petname:
|
|
|
|
|
you
|
|
|
|
|
can connect to the entity using the petname, and when the entity
|
|
|
|
|
connects to you, the petname displays.
|
|
|
|
|
|
|
|
|
|
Buddy lists are so intuitive,
|
|
|
|
|
people easily learn how to use them
|
|
|
|
|
with neither instruction nor documentation. An instant messenger that
|
|
|
|
|
used true keys, true nicknames, and enforced good security properties
|
|
|
|
|
would be virtually indistinguishable in user-interface presentation
|
|
|
|
|
from
|
|
|
|
|
existing systems; indeed, if one used an object-capability style of
|
|
|
|
|
key, the biggest difference would be the absence of passwords, an
|
|
|
|
|
actual usability improvement. Informal experimentation on a global
|
|
|
|
|
scale in the
|
|
|
|
|
instant messaging arena suggests the petname architecture embodied in
|
|
|
|
|
buddy lists can work well.
|
|
|
|
|
|
|
|
|
|
## CapDesk and Polaris
|
|
|
|
|
|
|
|
|
|
CapDesk \[CapDesk\] and Polaris \[Polaris\] are desktop systems that
|
|
|
|
|
explicitly flesh out a petname system to enforce security
|
|
|
|
|
properties. CapDesk is a point and click desktop that combines
|
|
|
|
|
usability, security, and functionality, to a degree often found
|
|
|
|
|
surprising by those unfamiliar with it. In CapDesk, at
|
|
|
|
|
application installation time the
|
|
|
|
|
application proposes a pet text and a pet graphic (the icon for the top
|
|
|
|
|
left corner, and the text in the title bar that is immediately
|
|
|
|
|
adjacent). The user may accept this petname or modify it. Windows
|
|
|
|
|
launched thereafter by the installed application are unforgeably marked
|
|
|
|
|
with the petname. Limited informal experimentation suggested that the
|
|
|
|
|
CapDesk petname system was intuitive and easy to use, like the buddy
|
|
|
|
|
lists.
|
|
|
|
|
|
|
|
|
|
Polaris is a derivative of
|
|
|
|
|
CapDesk that defends the Windows
|
|
|
|
|
operating system against several interesting classes of attack. Polaris
|
|
|
|
|
uses pet texts similar to the CapDesk pet texts for marking the
|
|
|
|
|
windows. Polaris was used in a larger set of pilot programs than
|
|
|
|
|
CapDesk ever experienced.
|
|
|
|
|
One result of the pilots that proved a pleasant surprise was that
|
|
|
|
|
people were aware of and sensitive to the petname markings. This
|
|
|
|
|
supports the hope that petnames could indeed strongly impact phishing.
|
|
|
|
|
|
|
|
|
|
## Domain Names
|
|
|
|
|
|
|
|
|
|
The DNS system is perhaps the most widely used naming architecture in
|
|
|
|
|
the world. There are a couple of ways of viewing DNS from a petname
|
|
|
|
|
perspective. The most clarifying view is perhaps the view of the domain
|
|
|
|
|
name as both key and
|
|
|
|
|
nickname rolled into one -- a unique nickname that must try to support
|
|
|
|
|
security
|
|
|
|
|
properties. One powerful way to describe DNS is to say that DNS strives
|
|
|
|
|
to make keys that are memorable. In other words, it is a direct
|
|
|
|
|
violation of Zooko's triangle. And that is why mimicry is possible. *Mimicry is an emergent
|
|
|
|
|
property of the violation of Zooko's
|
|
|
|
|
triangle.* Mimicry emerges as
|
|
|
|
|
the system grows to large scale. DNS is the leading example of the
|
|
|
|
|
problem.
|
|
|
|
|
|
|
|
|
|
Several of the other examples
|
|
|
|
|
here treat the domain name as a trusted-path key.
|
|
|
|
|
Domain names are forgeable, but in practice they seem to be resistant
|
|
|
|
|
enough to forgery to be useful. Judging by the
|
|
|
|
|
prevalence of mimicry-based phishing over DNS forgery, it seems clear
|
|
|
|
|
that forgery is not the weakest link in DNS; mimicry is.
|
|
|
|
|
|
|
|
|
|
## Browser Bookmarks
|
|
|
|
|
|
|
|
|
|
Browser bookmarks combined with DNS have a remarkable similarity to a
|
|
|
|
|
petname system...with a fatal flaw. Think of the domain name as both a
|
|
|
|
|
key and a nickname (which is not fatal to a petname system, remember
|
|
|
|
|
the nickname has no security properties, it can be gibberish or
|
|
|
|
|
massively oversubscribed or mimicked without violation...though the
|
|
|
|
|
petname system has a better chance of success if users understand that
|
|
|
|
|
the nickname has no security properties, which is another problem with
|
|
|
|
|
DNS). With this characterization, the bookmark can be thought of as a
|
|
|
|
|
private name that points at the key,
|
|
|
|
|
suggested by the nickname. It sounds like a petname system.
|
|
|
|
|
|
|
|
|
|
However, the bookmark is not a
|
|
|
|
|
petname. Technically, it is a
|
|
|
|
|
*lambda name*. As noted earlier,
|
|
|
|
|
a true petname is a
|
|
|
|
|
*two-way* mapping: any
|
|
|
|
|
reference to the key is represented in the user's world as the petname.
|
|
|
|
|
However, lambda names like bookmarks only map from the private name to
|
|
|
|
|
the key, with no mapping back. When you follow a bookmark to a page, or
|
|
|
|
|
take any other path to get to the page, the domain name is used
|
|
|
|
|
throughout the user interface as the "name" for presentation to the
|
|
|
|
|
user, a fundamental violation of petname logic. Despite this violation,
|
|
|
|
|
bookmarks plus DNS demonstrate how even a partial implementation
|
|
|
|
|
of petnames will deliver some of the defense against
|
|
|
|
|
mimicry that a full petname system can achieve. Any person who uses the
|
|
|
|
|
strategy of reading an email allegedly from PayPal, and then clicking
|
|
|
|
|
on their existing bookmark to go to PayPal rather than following the
|
|
|
|
|
email-embedded link, is getting a security benefit derived from the
|
|
|
|
|
partial implementation of petnames afforded by bookmarks.
|
|
|
|
|
|
|
|
|
|
## OpenPGP and the Web of Trust
|
|
|
|
|
|
|
|
|
|
OpenPGP keys
|
|
|
|
|
carry nicknames with them, and the user can replace nicknames with a
|
|
|
|
|
name of the user's choosing, which would be a petname. When an entity's
|
|
|
|
|
key is observed by the software, the pet name is properly presented,
|
|
|
|
|
i.e., the petname is properly bidirectional.
|
|
|
|
|
The Web of Trust supplies an interesting way to associate these keys
|
|
|
|
|
with purposeful trust, by asking other entities who have vouched for
|
|
|
|
|
the new entity, what they recommend as a trust relationship.
|
|
|
|
|
|
|
|
|
|
With all these features,
|
|
|
|
|
OpenPGP supplies a true petname system
|
|
|
|
|
architecture. OpenPGP has not been tested by phishing attacks yet.
|
|
|
|
|
Since all the basic elements are there, the biggest question would be,
|
|
|
|
|
how must the user interfaces for applications using OpenPGP evolve to
|
|
|
|
|
face such a threat? This is another reminder that user interface is as
|
|
|
|
|
critical for any practical security architecture as is the crypto. A
|
|
|
|
|
security system whose user interface is written by cryptographers is no
|
|
|
|
|
more likely to succeed than a security system whose encryption
|
|
|
|
|
machinery is written by user interface designers.
|
|
|
|
|
|
2024-06-15 22:28:08 -04:00
|
|
|
|
## Waterken Petname Toolbar
|
2023-05-10 21:12:25 -04:00
|
|
|
|
|
|
|
|
|
This toolbar\[Waterken\] is a proposal for web browsers explicitly based
|
|
|
|
|
on petname
|
|
|
|
|
architecture, explicitly to prevent phishing. A certificate plus a
|
|
|
|
|
domain name is treated as the key. The petname is a true two-way
|
|
|
|
|
mapping between key
|
|
|
|
|
and private name. The alleged name for all sites is "untrusted"; there
|
|
|
|
|
is no nickname. For those
|
|
|
|
|
sites to which the user assigns a petname, the toolbar supplies
|
|
|
|
|
markings
|
|
|
|
|
that makes it easy for the user to unambiguously distinguish the site.
|
|
|
|
|
This toolbar has been implemented for Firefox. This author switched to
|
|
|
|
|
FireFox from Mozilla just to be able to use this tool. Limited
|
|
|
|
|
informal experimentation suggests that the petname toolbar is as
|
|
|
|
|
intuitive as the buddy lists and desktop systems described earlier.
|
|
|
|
|
|
|
|
|
|
## Certificate Authorities
|
|
|
|
|
|
|
|
|
|
Certificate
|
|
|
|
|
Authorities create
|
|
|
|
|
nickname/key pairs. The certificates
|
|
|
|
|
share with pgp keys the cryptographic strength to ensure
|
|
|
|
|
unforgeability. The claim is made that, because the nickname is unique
|
|
|
|
|
within the CA, interesting security properties may be ascribed to the
|
|
|
|
|
nickname. Petnames are not included in the scheme. It looks a fair bit
|
|
|
|
|
like DNS, with the CA root playing the role of the DNS root servers.
|
|
|
|
|
|
|
|
|
|
How do CA-based
|
|
|
|
|
systems fair against mimicry? The similarity to DNS is certainly
|
|
|
|
|
suspicious. A generous author
|
|
|
|
|
might just say, CA defense against mimicry is controversial in theory
|
|
|
|
|
and untested in practice. A less generous author would probably say no
|
|
|
|
|
more, since such an author would still desire people who
|
|
|
|
|
think that CAs are beneficial to read the rest of the paper.\
|
|
|
|
|
|
|
|
|
|
## Trustbar
|
|
|
|
|
|
|
|
|
|
The trustbar \[trustbar\] is a CA-based
|
|
|
|
|
browser system that
|
|
|
|
|
allows user construction of petnames, including both pet text and pet
|
|
|
|
|
graphics, for the certified entity. In the 0.1 Mozilla
|
|
|
|
|
implementation, the distinction between a nickname (based on the cert)
|
|
|
|
|
and the petname is implied by the popup of a dialog box when the cert
|
|
|
|
|
is first encountered and no petname has yet been assigned. The petname
|
|
|
|
|
and the key are not quite fully bidirectional: the key is properly
|
|
|
|
|
represented by the petname in user interactions, but the petname cannot
|
|
|
|
|
be used to get to the key. This is just a quibble, however. The
|
|
|
|
|
Trustbar implements a petname system. It has, however, a big change
|
|
|
|
|
from a simple petname system: the inclusion of a
|
|
|
|
|
CA
|
|
|
|
|
in
|
|
|
|
|
the mix. Does this help
|
|
|
|
|
or hinder?
|
|
|
|
|
|
|
|
|
|
In the presence of the popular
|
|
|
|
|
"Just click Ok" mantra for certs, adding a CA
|
|
|
|
|
to the system may introduce new vulnerabilities. Two CA-based
|
|
|
|
|
attack examples: "We here at Verisign are upgrading our root key.
|
|
|
|
|
Please
|
|
|
|
|
follow the link and click Ok." Alternatively, "We here at Paypal have
|
|
|
|
|
fallen
|
|
|
|
|
into a legal dispute with Entrust. We are using a new CA that is every
|
|
|
|
|
bit as trustworthy. Please follow the link and click Ok." Brief
|
|
|
|
|
informal experimentation with the author's 83-year-old mother-in-law
|
|
|
|
|
suggests that an email asserting Paypal has changed domain names is
|
|
|
|
|
easily recognized as an attack. However, email asserting a cert has
|
|
|
|
|
changed is
|
|
|
|
|
viewed as a foolish demand impeding progress -- just click OK.
|
|
|
|
|
|
|
|
|
|
As noted earlier, user
|
|
|
|
|
interface design is every bit as important to
|
|
|
|
|
security as the strength of the keys. Simply stripping the trustbar
|
|
|
|
|
tool of the inevitable plethora of CA-related dialog boxes would
|
|
|
|
|
significantly improve usability, increasing the chances that real human
|
|
|
|
|
beings would tolerate it; all the security properties of a
|
|
|
|
|
petname system without CAs would remain intact. The Trustbar itself
|
|
|
|
|
pops dialogs at the user (sometimes several in a row, if the entity
|
|
|
|
|
maintaining a web site decides to use different certs for different
|
|
|
|
|
pages, as discovered during the author's experiments). Private
|
|
|
|
|
correspondence
|
|
|
|
|
with the designers of the trustbar suggest that evolution in a
|
|
|
|
|
direction reducing the frequency and annoyance of the dialogs is a
|
|
|
|
|
possibility.
|
|
|
|
|
|
|
|
|
|
How well will the current implementation of the trustbar work in
|
|
|
|
|
practice? Only
|
|
|
|
|
experimentation can tell.
|
|
|
|
|
|
|
|
|
|
## Pet Name Markup Language
|
|
|
|
|
|
|
|
|
|
PNML is an XML proposal for
|
|
|
|
|
using petname systems ubiquitously. In a
|
|
|
|
|
chat system, if Bob made a reference to Alice in the text he wrote to
|
|
|
|
|
Ted, and if Alice is Bob's petname for a person known to Ted with
|
|
|
|
|
petname Carol, the sent reference to Alice would be converted via the
|
|
|
|
|
magic of computers into a received reference to Carol. It would take
|
|
|
|
|
more effort to build PNML into an existing browser than to
|
|
|
|
|
integrate the Waterken Petname Toolbar, but the results
|
|
|
|
|
would be interesting indeed.
|
|
|
|
|
|
|
|
|
|
# Conclusions
|
|
|
|
|
|
|
|
|
|
Many informal experiments with
|
|
|
|
|
systems identified here that use
|
|
|
|
|
parts
|
|
|
|
|
of petname systems
|
|
|
|
|
have
|
|
|
|
|
demonstrated that they can be intuitive and easy to use (Buddy Lists,
|
|
|
|
|
Browser bookmarks, the petname toolbar, and the CapDesk and Polaris
|
|
|
|
|
secure desktops). A user who
|
|
|
|
|
understands his petname system and is alert to the information it
|
|
|
|
|
conveys can be extremely hard to trick using mimicry, making that user
|
|
|
|
|
a difficult target for phishing. Experimentation is required to
|
|
|
|
|
determine how much less vulnerable to phishing the typical user would
|
|
|
|
|
become given a petname system. Experimentation with
|
|
|
|
|
petnames for web browsers does not have to be expensive; both the
|
|
|
|
|
Trustbar and the Waterken
|
|
|
|
|
Petname Toolbar are ready now, both for usage and for further
|
|
|
|
|
experimentation by building variations based on the open-source code.
|
|
|
|
|
|
|
|
|
|
# Implementation Notes/Requirements
|
|
|
|
|
|
|
|
|
|
Following are key features
|
|
|
|
|
of a petname system. If an
|
|
|
|
|
implementation of a naming system for an application does not include
|
|
|
|
|
these properties, it is not fully following the logic of petnames:
|
|
|
|
|
|
|
|
|
|
- The key must be resistant
|
|
|
|
|
enough to forgery to survive in the
|
|
|
|
|
context of the application threat model.
|
|
|
|
|
- There can be at most one
|
|
|
|
|
petname per key per user per
|
|
|
|
|
application.\
|
|
|
|
|
- There can be at most one key
|
|
|
|
|
per petname (per user per
|
|
|
|
|
application).
|
|
|
|
|
- In the application user
|
|
|
|
|
interface, all references to the key are
|
|
|
|
|
represented by the petname.
|
|
|
|
|
- The user must be able to
|
|
|
|
|
assign a private petname to any key.
|
|
|
|
|
- The petname must be assigned
|
|
|
|
|
to the key only by explicit user
|
|
|
|
|
action.
|
|
|
|
|
- The user must be able to
|
|
|
|
|
repeatedly edit the petname of any key.
|
|
|
|
|
- The user interface shall
|
|
|
|
|
assist the user in assuring that two
|
|
|
|
|
petnames are not similar enough to enable mimicry, to the extent
|
|
|
|
|
necessitated by the complexity of the application context in which the
|
|
|
|
|
petnames are selected and manipulated. If the number of petnames needed
|
|
|
|
|
by the application is small and they are easily remembered, no
|
|
|
|
|
assistance may be required. If the number of petnames is large, and/or
|
|
|
|
|
difficult to remember and/or likely to be similar, and the resultant
|
|
|
|
|
forms of mimicry, accidental or intentional, leads to vulnerability
|
|
|
|
|
inside the threat model, assistance is required.
|
|
|
|
|
- Nicknames and alleged names
|
|
|
|
|
must be unambiguously visually
|
|
|
|
|
distinct from petnames.
|
|
|
|
|
- Nicknames are optional.
|
|
|
|
|
|
|
|
|
|
# Glossary
|
|
|
|
|
|
|
|
|
|
**Petname
|
|
|
|
|
System:** a naming system in
|
|
|
|
|
which, for each
|
|
|
|
|
individual entity recognized by another entity, three interlocking
|
|
|
|
|
names solve Zooko's Triangle. The three elements are the key
|
|
|
|
|
(global
|
|
|
|
|
and secure), the nickname (global and memorable), and the petname
|
|
|
|
|
(secure and memorable).
|
|
|
|
|
|
|
|
|
|
**Petname:**
|
|
|
|
|
This term has three distinct but related
|
|
|
|
|
usages in the literature on petnames. Sometimes it is used as a
|
|
|
|
|
shorthand for referring to the petname system as a whole. Sometimes it
|
|
|
|
|
is used as a direct reference to the naming element that is secure,
|
|
|
|
|
memorable, and private to the individual who refers to another
|
|
|
|
|
entity; this is the
|
|
|
|
|
meaning used throughout this paper. Sometimes "petname" is used to
|
|
|
|
|
refer to the textual component of a
|
|
|
|
|
petname (which may have graphical elements as well). In
|
|
|
|
|
contexts outside this paper, the reader must
|
|
|
|
|
ascertain the correct interpretation from that context. True petnames
|
|
|
|
|
are 2-way associative: given a petname in a specific application on a
|
|
|
|
|
specific machine, you can acquire the key, and given the key, you can
|
|
|
|
|
acquire the petname. The mapping back from the key to the petname is
|
|
|
|
|
always performed when presenting data to the user. This makes petnames
|
|
|
|
|
different
|
|
|
|
|
from lambda names, which only map from the name to the key.
|
|
|
|
|
|
|
|
|
|
**Pet
|
|
|
|
|
Text:** A petname, or part of
|
|
|
|
|
a petname, that is textual. The
|
|
|
|
|
owner of a machine upon which a petname resides can edit the text to
|
|
|
|
|
modify the petname.
|
|
|
|
|
|
|
|
|
|
**Pet
|
|
|
|
|
Graphic:** A petname, or part
|
|
|
|
|
of a petname, that is graphical.
|
|
|
|
|
|
|
|
|
|
**Pet
|
|
|
|
|
Face:** A petname, or part of
|
|
|
|
|
a petname, that is an image of a
|
|
|
|
|
human face. Pet faces are intended to exploit the special powers of the
|
|
|
|
|
human mind for associating purposeful trust with another human.
|
|
|
|
|
|
|
|
|
|
**Purposeful
|
|
|
|
|
Trust:** The type of
|
|
|
|
|
trust that is needed before a person
|
|
|
|
|
should empower another entity. Examples: "I trust Entity X to
|
|
|
|
|
hold N
|
|
|
|
|
dollars for me, and to perform transfers of that money on my behalf."
|
|
|
|
|
And, "I trust Entity Y to tell me whether or not to buy a car
|
|
|
|
|
from
|
|
|
|
|
Entity Z." We speak of purposeful trust to distinguish it from the many
|
|
|
|
|
other things computer people call "trust" these days. CAs, for
|
|
|
|
|
example supply "trust". But CAs do not tell you if you can trust a
|
|
|
|
|
certificate owner to pick up your garbage, or handle your
|
|
|
|
|
stock portfolio. It's just "trust".
|
|
|
|
|
|
|
|
|
|
**Forgery:**
|
|
|
|
|
An exact duplication
|
|
|
|
|
of a key, such that neither human nor computer can distinguish the
|
|
|
|
|
duplicate from the original.
|
|
|
|
|
|
|
|
|
|
**Mimicry:**
|
|
|
|
|
A duplication of
|
|
|
|
|
a name that is good enough to fool the human being, though not good
|
|
|
|
|
enough to fool a computer. A famous example is
|
|
|
|
|
the name *paypa1*
|
|
|
|
|
(with a "one" as the final character),
|
|
|
|
|
which mimics *paypal*
|
|
|
|
|
quite well.
|
|
|
|
|
The quality of the mimicry of paypal depends on the ambiguity of the
|
|
|
|
|
font in
|
|
|
|
|
use, and the alertness of the human reading the message.
|
|
|
|
|
|
|
|
|
|
**Lambda Names:**
|
|
|
|
|
Names that are memorable, secure, and
|
|
|
|
|
private, but
|
|
|
|
|
which only map from the name to the key: given the lambda name, you can
|
|
|
|
|
retrieve the key, but given the key there is no mapping back to the
|
|
|
|
|
name. Objects in programming languages follow this logic: the
|
|
|
|
|
programmer gives the object a name in the program, but once compiled,
|
|
|
|
|
neither the object nor much of anything else knows how to get back to
|
|
|
|
|
the name (though this is an imperfect example, since debuggers can
|
|
|
|
|
indeed map back). Bookmarks in browsers are another example: the
|
|
|
|
|
bookmark maps to a url, but once you go to the url, the url is
|
|
|
|
|
presented directly to the user, not the name embodied in the bookmark.
|
|
|
|
|
Consequently bookmarks cannot help against phishing.
|
|
|
|
|
|
|
|
|
|
# Acknowledgements
|
|
|
|
|
|
|
|
|
|
Thank you to everyone on the Cap-Talk mailing list for their help,
|
|
|
|
|
especially Ian Grigg for his deliciously relentless criticism, but also
|
|
|
|
|
notably including David Hopwood, Alan Karp, Mark Miller, Tyler Close,
|
|
|
|
|
Trevor Perrin, and Charles Landau, each of whom made comments that
|
|
|
|
|
directly caused modification to the early draft. Thank you also to Amir
|
|
|
|
|
Herzberg for his assistance in understanding the Trustbar.
|
|
|
|
|
|
|
|
|
|
# References
|
|
|
|
|
|
|
|
|
|
\[Zooko\] <http://zooko.com/distnames.html>\
|
|
|
|
|
\[Trustbar\] <http://eprint.iacr.org/2004/155/>
|
|
|
|
|
or [http://www.cs.biu.ac.il/\~herzbea//Papers/ecommerce/spoofing.htm](http://www.cs.biu.ac.il/%7Eherzbea//Papers/ecommerce/spoofing.htm)\
|
|
|
|
|
\[CapDesk\] <http://www.skyhunter.com/marcs/CapDeskSpec.html>
|
|
|
|
|
or <http://www.combex.com/tech/edesk.html>\
|
|
|
|
|
\[Polaris\] <http://www.hpl.hp.com/techreports/2004/HPL-2004-221.html>\
|
|
|
|
|
\[Waterken\] <http://www.waterken.com/user/PetnameTool/>[](http://www.erights.org/elib/capability/pnml.html)\
|