957 lines
42 KiB
Markdown
957 lines
42 KiB
Markdown
---
|
||
title: An Introduction to Petname Systems
|
||
# notmine
|
||
---
|
||
|
||
::: {style="text-align: center;"}
|
||
by
|
||
Marc Stiegler, Feb 2005, copyright under the MIT X License\
|
||
updated June 2010\
|
||
:::
|
||
|
||
# Abstract
|
||
|
||
Zooko's Triangle \[Zooko\] argues
|
||
that names cannot be global, secure, and memorable, all at the same
|
||
time. Domain names are an example: they are global, and memorable, but
|
||
as the rapid rise of phishing demonstrates, they are not secure.
|
||
|
||
Though no single name can have
|
||
all three properties, the *petname*
|
||
*system*
|
||
does indeed embody all three properties. Informal
|
||
experiments with petname-like systems suggest that petnames can be both
|
||
intuitive and effective. Experimental implementations already exist for
|
||
simple
|
||
extensions to existing browsers that could alleviate (possibly
|
||
dramatically) the problems with phishing. As phishers gain
|
||
sophistication, it seems compelling to experiment with petname systems
|
||
as part of the solution.
|
||
|
||
# Basic Petname Layout
|
||
|
||
Below, we have Zooko's Triangle
|
||
overlaid with a petname system:
|
||
|
||
![](./zooko-triangle.gif)
|
||
|
||
For the purposes of this document, we actually use an
|
||
alternate rendering of the key points of Zooko's Triangle. The
|
||
points
|
||
of the triangle are:
|
||
|
||
- Memorable: this means
|
||
that a human being has a chance of
|
||
remembering the name. Memorable names pass the "moving bus test": if
|
||
you see the name on the side of a bus as it drives past you, you should
|
||
be able to remember the name long enough to use it when you get home.
|
||
- Global: this means the name
|
||
is publicly available, and indeed the entity to whom the name is
|
||
attached is eager to give it to you. A key goal of marketing and
|
||
advertising is to capture memorable names in such a fashion that the
|
||
memorable name is globally locked to a particular entity.
|
||
- Securely Unique: This is
|
||
means that the name cannot be *forged*
|
||
or *mimicked*.
|
||
A name can be forged
|
||
if one can
|
||
manufacture an exact duplicate of the name such that neither man nor
|
||
machine can tell the difference. A name can be mimicked
|
||
if
|
||
one can make a name similar enough to fool the human being. In general,
|
||
phishing depends on mimicry, not forgery. This difference becomes
|
||
crucial later in the discussion.
|
||
|
||
Each name set consists of three
|
||
elements: a *key*
|
||
that is global and securely unique (but not necessarily memorable); a *nickname*
|
||
that is global and memorable (but not at all unique) , and a *petname*
|
||
that is securely unique and memorable (but private, not global):
|
||
|
||
- **Keys** lie at the heart of the security properties
|
||
of the petname system. Nicknames and petnames exist to make it easy for
|
||
human beings to manipulate keys. The security of the
|
||
system can be no stronger than the unforgeability of the keys.
|
||
Self-authenticating public/private key pairs make excellent keys since
|
||
they have strong
|
||
unforgeability properties. But there are other ways of achieving
|
||
unforgeability. A trusted path can also work well as the key: the full
|
||
pathname to a file on a specific computer is
|
||
also unforgeable (or at least, as unforgeable as the designation of the
|
||
specific computer, which can be quite strong in some cases). It does
|
||
not make any difference in a petname system whether a key can be
|
||
mimicked: keys are handled only by the computer, the human being
|
||
handles the keys only indirectly via petnames. For a particular person,
|
||
for a particular application, there is a
|
||
one-to-one mapping between a key and a petname.
|
||
|
||
- **Nicknames**
|
||
can be used to assist in discovery of
|
||
keys, and for help in selecting a petname. Nicknames are chosen by the
|
||
owners of keys in hopes of creating a distinctive, if not
|
||
unique,
|
||
mapping from the memorable nickname to the key. Such nicknames often
|
||
are promulgated throughout the world in
|
||
the hopes of making the nickname stick in the mind as a reference to
|
||
the
|
||
key. Since there are strong incentives to "take ownership" of a
|
||
nickname, even though true ownership is not possible, nicknames are the
|
||
most often misunderstood part of a petname system.
|
||
|
||
In the simple case, a nickname has a one-to-many mapping to
|
||
keys The name John Smith is obviously a
|
||
nickname: there are many John Smiths.Other nicknames
|
||
produce the illusion of being globally unique: the name Marc Stiegler
|
||
appears to be globally unique at the time of this writing. But there is
|
||
no security property in this accident of global uniqueness. The
|
||
uniqueness of the name Marc Stiegler would change quite quickly if,
|
||
through the
|
||
mysterious forces of human whimsy, the name suddenly became desirable.
|
||
Sometimes the desirability of a nickname is not whimsical, but venal.
|
||
It is already desirable for some applications to call
|
||
themselves
|
||
Quicken, for example, and draw windows that request a Quicken password.
|
||
|
||
- **Petnames**
|
||
are our private bidirectional
|
||
references to keys.
|
||
There are many Mark Millers, but there is one specific Mark Miller that
|
||
the
|
||
name means to me, the Mark Miller who
|
||
works with object-capabilities for secure cooperation. "Mark Miller" is
|
||
Mark Miller's nickname; it also
|
||
happens to be my petname for the same individual. My private pet name
|
||
for my wife is not recognizably similar to the public nickname used by
|
||
my wife. In the computer setting, for a specific person with a specific
|
||
application, petnames are unique, each petname refers to exactly one
|
||
key, and each key is represented by exactly one petname. In all places
|
||
in
|
||
the application where the app wants to designate the key, the petname
|
||
is displayed -- which is to say, *a
|
||
true petname is a bidirectional one-to-one mapping to a key*.
|
||
All references to the key by the user interface are represented by
|
||
petname.
|
||
A key cannot have two petnames; if a single key had two petnames, under
|
||
what circumstances would the user interface use petname1 as the
|
||
representation of the key, and under what circumstances would it bring
|
||
up petname2?
|
||
|
||
## More Detail, and Interactions
|
||
|
||
A good example of a nickname management system is Google. Type
|
||
in a name, and Google will return a list that includes all the entities
|
||
Google knows, to which the name refers. Google
|
||
makes a mapping between these nicknames and their keys (if we think
|
||
of the url of a page as a trusted-path-style key, which will be
|
||
discussed later). Often
|
||
enough to be interesting, the first item in the list will be the one
|
||
you wanted. But it fails often enough, and endless pages of other
|
||
choices appear often enough, to never leave us in doubt that these
|
||
identifiers
|
||
are not unique mappings to single keys. As is already true in the
|
||
current world, in a world filled with petname
|
||
systems, a key goal of marketing would be to get your nickname listed
|
||
at the top of the Google rankings for that nickname.
|
||
|
||
A single key may map to multiple nicknames. The entity that comes up
|
||
first in a Google search for "Marc Stiegler" is an entity who proposes
|
||
the
|
||
nickname "marcs" for himself in many forums. However, to assess the
|
||
security
|
||
properties of a petname system, this is irrelevant.
|
||
|
||
Nicknames are conveniences that may serve as good starting points
|
||
for petnames. If I send
|
||
you my key and my nickname, often my nickname (which I normally will
|
||
have chosen to
|
||
be reasonably rare in the world) will work great as your petname. But
|
||
do not confuse the nickname-as-proposal with the
|
||
petname-as-decided. Never in a true petname system is
|
||
the nickname presented or employed as if it were a petname.
|
||
|
||
*Alleged names*
|
||
are similar enough to nicknames to be worth
|
||
distinguishing. An alleged name is the name for an entity proposed by a
|
||
third party, typically in an introduction. This can also be useful as a
|
||
starting place for picking a petname. Alleged names, like nicknames,
|
||
are usually memorable, often global, and never securely unique. Alleged
|
||
names are often based on nicknames, though this is unreliable enough,
|
||
if one really cares about the nickname then one really needs to ask the
|
||
entity holding the key, not the introducer.
|
||
|
||
In action, keys and alleged names
|
||
tend to be transferred together. We
|
||
refer henceforth to such key/alleged-name pairs as *referrals.*
|
||
|
||
It is crucial not to confuse
|
||
private petnames with global nicknames
|
||
that temporarily happen to have a unique mapping to a key.
|
||
Experience to date suggests that the word "petname" is attractive,
|
||
leading people to desire to use it. People can thence easily fall into
|
||
the trap of referring to momentarily
|
||
unique nicknames as "petnames". This error then leads them inevitably
|
||
to draw fatally confused conclusions about the possibility of petnames
|
||
with global meaning. The security properties of a petname come from its
|
||
privacy. Public nicknames are trivially vulnerable to
|
||
both forgery and mimicry; they have no security properties.
|
||
|
||
Petnames are guessable. Most people will accept Paypal's nickname as
|
||
the petname. This can only impact the security of the
|
||
system if the user interface
|
||
distinguishes the petnames from the nicknames so poorly that the user gets confused.
|
||
|
||
The term "petname" suggests that this name is embodied as text. This
|
||
is
|
||
not necessary; petnames can be graphical as well. Indeed, some of the
|
||
petname systems listed later use petnames that include both *pet
|
||
texts* and *pet graphics.*
|
||
|
||
Petnames must be repeatably editable by the human being so that the set
|
||
of petnames can evolve as the user's set of associations
|
||
grow.
|
||
You might use the petname "Mark Miller" for the one and only Mark
|
||
Miller that you know. But then if you meet another Mark Miller you will
|
||
have to distinguish, possibly by editing the first one: the single
|
||
entry "Mark Miller" may now split into "Mark Miller Capability Guru"
|
||
and "Mark Miller Dentist".
|
||
|
||
Petnames convey power: since the petname is the user representation
|
||
of the key, it is through the petname that the human
|
||
being
|
||
uses the key, communicates with the key owner, and conveys authority to
|
||
the key owner based on the user's *purposeful
|
||
trust*
|
||
relationship with that owner (*purposeful
|
||
trust* is the type of
|
||
trust
|
||
needed to engage in action: I trust (i.e., I am willing to be
|
||
vulnerable to) Entity X to hold N number of
|
||
dollars on my behalf, and to engage in transfers of that money based on
|
||
orders I give).
|
||
|
||
Another way of thinking about the relationship between a key and a
|
||
petname is this. The key is used to authenticate the entity that owns
|
||
the key. The petname is used as a handle upon which to hang the
|
||
trust/reliance/vulnerability data used by the human being to make
|
||
authorization decisions for that entity. If the entity represented by
|
||
the petname My Phone Company asks for my credit card, if the
|
||
justification sounds reasonable, I will release it. If the entity
|
||
represented by the petname Deadbeat Brother (whom I nonetheless trust
|
||
to teach my daughter soccer in the afternoon without supervision -- the
|
||
trust relationship with such a brother is neither positive nor
|
||
negative, it is complex) asks for my credit card, I will not release it
|
||
no matter what the justification.*\
|
||
*
|
||
|
||
*The security
|
||
of a petname system depends on the
|
||
keys to
|
||
prevent forgery, and on the petnames to prevent mimicry.*
|
||
|
||
# Petnames In Action
|
||
|
||
Informal
|
||
experimentation suggests that a petname system is
|
||
much easier to use than to explain (see examples below). We will create
|
||
a single example for this introduction, and give some hint as to the
|
||
wide diversity of variations in the Examples. Suppose I send you Mark
|
||
Miller's OpenPGP pubkey in email. I say, "here is mark miller's
|
||
pubkey."
|
||
I sent you both a key and an alleged
|
||
name
|
||
(mark miller). Implicit in the transmission of the alleged name is the
|
||
proposal that you might want to consider "mark miller" as the petname.
|
||
What you actually choose as a petname depends entirely on your context.
|
||
If you know this particular mark miller in other contexts in other
|
||
applications as "markm", you may choose "markm" as the name referring
|
||
to this key in your list of pubkeys. If you think this might be
|
||
the same mark miller, but are not willing to be vulnerable to me as the
|
||
sole source of such
|
||
powerful mapping, you might use the petname "Marc Stiegler's Mark
|
||
Miller" or "Mark Stiegler's markm". If you perform appropriate
|
||
incantations on the pubkey, you can get the entity's nickname. If this
|
||
pubkey already exists
|
||
in your list, your software shouldn't give you the choice of adding it:
|
||
the software should tell you that you already have this one, and tell
|
||
you the current petname (and perhaps bring up the petname editor so you
|
||
can change the petname if the newly-received reference suggests a
|
||
better name). If you receive a message signed with the private key for
|
||
the markm petname's pubkey, the software should display the
|
||
petname markm. If you send a
|
||
message to mark miller, you should pick the
|
||
encryption key based on the petname.
|
||
|
||
The above example has the
|
||
security properties of a petname system, but OpenPGP systems often do
|
||
not demonstrate the usability properties a petname system
|
||
needs.
|
||
Instant messaging systems with buddy lists demonstrate the usability
|
||
properties, but for reasons beyond the understanding of this author,
|
||
discard all the security properties. See the examples section for more
|
||
details on buddy lists as petname systems.\
|
||
|
||
# Key Issues with Petname Systems
|
||
|
||
Two elements of full-fledged
|
||
petname systems seem to be principle
|
||
sources of controversy. One is, how do I get the keys transferred
|
||
around the system? The other is, "how easily can Darth Vader mimic a
|
||
petname?".
|
||
|
||
## Transferring Keys and Purposeful Trust
|
||
|
||
Transferring keys around the universe is easy; for example, plaster the
|
||
keys on all the web sites in the world that'll let you do so. The hard
|
||
part is transferring a key with an association to purposeful trust. It
|
||
is useless to both PayPal and the phisher who wants your Paypal account
|
||
if you just know Paypal's key; you have to be willing to make yourself
|
||
vulnerable to the entity who
|
||
owns the key to hold your credit card, trusting him to engage in only
|
||
transfers that you specify.
|
||
|
||
The question, "how do I
|
||
transfer a purposeful
|
||
trust association?", is hard to
|
||
answer because there is no simple single answer. Instead, there are a
|
||
vast array of
|
||
answers, each of which works in narrow circumstances. The question
|
||
is made
|
||
even more difficult to answer because the mechanisms by which humans
|
||
determine an appropriate purposeful trust to be associated with an
|
||
entity
|
||
is subtle, complex, powerful, and completely subconscious: the
|
||
question of how you transfer the association can easily slide into a
|
||
hopeless discussion of how to create purposeful trust in the first
|
||
place. Here we outline some general ideas for transferring
|
||
key/purposeful-trust
|
||
mappings, then in the
|
||
Examples
|
||
point out some practical approaches in specific narrow contexts.
|
||
|
||
Answers often start with direct
|
||
physical contact. You get a combination of
|
||
a nickname and a key in a file from your best friend, who says, "this
|
||
Google thing is a great search engine", or "this Consumer Reports site
|
||
will not lead you astray". You stick these referrals in your browser,
|
||
assign petnames,
|
||
and make yourself vulnerable to them for the purposes stated because
|
||
your friend said so.
|
||
Then when the side of the bus says PayPal, you might go and see what
|
||
Google thinks Paypal means. Since a relationship with PayPal is a
|
||
serious vulnerability decision, serious enough so that we're not going
|
||
to jump
|
||
at the first site just because Google said so, we'll ask a few of our
|
||
friends to email referrals to the entities they use for online money.
|
||
If the referrals they send all share the same key as the Google
|
||
key (which is easy to tell, because trying to add each new key/petname
|
||
mapping will
|
||
produce the alert that the key matches something you've already got),
|
||
the
|
||
quality of your willingness to be vulnerable to the key you have
|
||
petnamed PayPal improves.
|
||
This is pretty similar to how
|
||
we all started using PayPal even without the petname system: we jumped
|
||
in when enough of our friends and organizations that we trust for
|
||
recommendations about financial matters concurred. The only difference
|
||
in the petname version of the story is that our friends explicitly gave
|
||
us referrals rather than easily mimicked domain names, and we
|
||
explicitly set a petname (perhaps by just clicking an Accept key when
|
||
the alleged name was proposed as the petname).
|
||
|
||
While a full-fledged, purebred
|
||
petname system could in principle
|
||
supplant the entire DNS system, we have DNS now, and we can use it to
|
||
do some bootstrapping. My ability to type google.com and
|
||
paypal.com is probably adequate to get started.
|
||
|
||
Regardless of how you
|
||
bootstrap, you
|
||
can get referrals by email, thumbdrive, web page, chat, and even by
|
||
telephone.
|
||
|
||
## Converting From Nickname to Petname
|
||
|
||
The other part of the system
|
||
that is impossible to quantify is the
|
||
mimicability of pet names. Let us assume a poorly built petname system
|
||
in the clutches of a clueless user. We have a money transfer site
|
||
on the Web that we have petnamed PayPal. We get an email telling us to
|
||
update our PayPal account, we click the link, and go to a domain that
|
||
has given itself the nickname PayPa1 (for those of you with typically
|
||
broken fonts, that last character, "1", is a one). Our poorly
|
||
built hypothetical petname system
|
||
is so poorly
|
||
built, the nickname is put into the field where the petnames go, with a
|
||
hint of shading or some other easy-to-miss mod to mark the
|
||
fact that
|
||
this is the web site's nickname for
|
||
itself, not our petname for it. The distinction is missed,
|
||
and
|
||
our
|
||
user is phished.
|
||
|
||
The solutions to this problem
|
||
are
|
||
application and context specific,
|
||
though there are some good ideas floating around that seem to have wide
|
||
applicability. In the Waterken Petname Toolbar proposal (see below),
|
||
the alleged name is always "untrusted". It's hard to fail to
|
||
recognize
|
||
that
|
||
this isn't PayPal, though a sufficiently unobservant user might
|
||
completely disregard the petname and nickname information and get
|
||
phished anyway. There is limited informal evidence that users really do
|
||
notice things like this (see below), and so the most cynical of
|
||
skeptics are probably mostly wrong though they are probably slightly
|
||
right: if you send a million phishing emails to each of a million
|
||
users, some day some one will be tired and unobservant and will get
|
||
phished. If sending a trillion emails like this is cheap enough,
|
||
phishing will remain profitable, so part of the solution needs to be
|
||
making a trillion emails ever so slightly expensive. Regardless,
|
||
multiple experiments with multiple
|
||
user interfaces would be a good idea to help develop user interfaces
|
||
that maximize the probability that a tired unobservant user will notice
|
||
a warning.
|
||
|
||
There are a couple of user
|
||
interface issues. The petnames must be unambiguously distinct from
|
||
nicknames. This seems easy to do, through colors, fonts, additional
|
||
text, and separate fields for the nickname as examples of pieces of
|
||
strategy.
|
||
|
||
More difficult is the following
|
||
problem: Petname creation must be
|
||
both painless (or people will reject the whole idea) and reliably
|
||
mimicry-free (it would be a disaster to have both PayPal and PayPa1 as
|
||
petnames!). Is this one of those hopeless tradeoffs that the
|
||
computer security community enjoys throwing in its own face? To the
|
||
author, this
|
||
problem looks solvable; indeed, it seems hard to believe that this
|
||
cannot be solved with some reasonable satisfaction, given the number of
|
||
user interface ideas for this problem floating around. But
|
||
implementations and experiments, will be required to identify minimally
|
||
intrusive, adequately effective solutions.
|
||
|
||
Here are two example ideas
|
||
for petname creation user interface
|
||
that seem generally applicable. First is to compose the default choice
|
||
for the petname out of a combination of contextual information and
|
||
nickname information. Suppose we click on a link to "PayPal" in the
|
||
Consumer Reports site (that is, the site that we have assigned the
|
||
nickname, "Consumer Reports"). This takes us to a new site that
|
||
proposes the nickname "PayPal". The system clearly marks that we do not
|
||
have a petname for this site and proposes "Consumer Reports's PayPal".
|
||
The user can press a button to accept this name, edit it, or, with
|
||
algorithmic chicanery left as an exercise for the reader, press a
|
||
second button that says, "let me use the raw nickname PayPal as the
|
||
petname." This system still depends on the user remembering the
|
||
petnames he has already assigned and noticing at the time of creation
|
||
of the new petname, whether he already has a similar name in his list.
|
||
This by itself is probably enough to protect the PayPal pet name --
|
||
most of us who gave PayPal a petname would have no trouble remembering
|
||
we had done so, and if we saw something that looked like "PayPal", we'd
|
||
notice we were at risk of confusing ourselves if we accepted a similar
|
||
name -- but again, we are dealing with humans, so the process is
|
||
imperfect. To support the human being, we'd want to use a font that was
|
||
as ambiguous as possible during petname creation, mixing up 1 and l and
|
||
I in a hopeless mess,
|
||
so that we could be confident that our petnames looked unique no
|
||
matter what ridiculous font got used later.
|
||
|
||
The second idea is to have a weak algorithm for comparing a candidate
|
||
petname in the act of being accepted to the existing petnames. We
|
||
explicitly call this a *weak*
|
||
algorithm because it can be
|
||
pretty poor. It is quite
|
||
acceptable for the algorithm to pop a list of "similar petnames" that
|
||
is overly extensive, i.e., it is fine to show names that the human
|
||
easily recognizes as distinct. The serious error is to fail to show
|
||
names that
|
||
the human might confuse. Comparing Paypal to Paypa1, a sample algorithm
|
||
might notice that the names are of similar length and have three
|
||
letters in common ("p", "a", and "y"), and say, "that's similar enough
|
||
to worry me, I'm gonna check with the boss." The algorithm for noticing
|
||
similarity between private petnames is under much less pressure to be
|
||
perfect than is the algorithm for a Certificate Authority when deciding
|
||
whether
|
||
to award the name "pawpal" when the name "paypal" already exists. A CA
|
||
might like to prevent mimicry, but to do so must tread a
|
||
difficult line with abolishing huge swaths of namespace to ensure
|
||
similarities don't arise.
|
||
|
||
However it is done, mixing alphabets from different languages into a
|
||
single petname list is ridiculous. These are private petnames. Only one
|
||
person in the whole world needs to read them. Use the user's default
|
||
character
|
||
set, and be done.
|
||
|
||
# Examples, Near Examples, and Comparisons
|
||
|
||
## Physical World Petnames
|
||
|
||
Humans have been using parts of
|
||
petname systems since before the
|
||
invention of the written word. Human faces
|
||
were used as keys. These keys resisted forgery far better than most
|
||
things that pass for security today on computers (except in episodes
|
||
of Mission Impossible, and the occasional Shakespearian comedy like
|
||
12th Night). The referral, "Joe, this is my son Billy,
|
||
he's great with a club," transferred both a key/alleged-name pair and a
|
||
first-order
|
||
purposeful trust recommendation. The recipient of this referral
|
||
typically accepts the alleged name as a petname, though in some cases
|
||
the recipient may instead choose other petnames, such as, "Bob's big
|
||
dumb dufus of a son", which is a strictly private petname.
|
||
|
||
These physical world petname
|
||
systems were sufficiently different
|
||
from computer-based petname systems that it is dangerous to draw too
|
||
many conclusions from them. But the similarities are sufficiently
|
||
intriguing that the author feels compelled to mention them. More
|
||
comprehensive comparison and contrasting of physical petnaming to
|
||
computer-based petnaming is left as an entertainment for the reader.
|
||
|
||
## Trademark Law
|
||
|
||
Trademark law is not a petname
|
||
system. When civilization started
|
||
creating entities that did not have unforgeable faces (like Apple
|
||
Computer), we settled on a legal system that attempted, with fair
|
||
success, to enforce (that is, secure) purpose-unique memorable
|
||
global IDs for small numbers of entities. It is hard to map trademarks
|
||
onto petname systems for comparison, but an attempt seems in order. The
|
||
trademark-purpose pair is the key, made unforgeable by government
|
||
coercion. It
|
||
is important to note that the trademark itself is not the key: Apple
|
||
Computer and Apple Music both used the trademark Apple for decades,
|
||
without conflict, until Apple Computer entered the music business.
|
||
|
||
The trademark by itself is the
|
||
nickname: Apple Computer thinks of itself as "Apple". Petnames are
|
||
absent. Mimicry is prevented by the same
|
||
government action as forgery, and indeed the trademark system makes no
|
||
distinction between forgery and mimicry (which helps explain why the
|
||
distinction is so blurred in most computer security discussions).
|
||
|
||
Trademark law depends on the
|
||
legal system to disambiguate "similar
|
||
purpose". This is expensive, and consequently trademark law can only
|
||
apply to "small" numbers of "big" entities. The name Mark Miller is
|
||
covered by trademark law, but only in explicitly recognizing that all
|
||
people who have that name may use it, i.e., trademark law recognizes
|
||
non-uniqueness in this case. On the Web, the number of entities with
|
||
whom we
|
||
would like to associate trust/vulnerability relationships is extremely
|
||
large; indeed,
|
||
one of the failures of the Web today is that we cannot construct as
|
||
many such associations as we would like. Those relationships span
|
||
multiple legal jurisdictions, further complicating the trademark
|
||
system. Trademarking simply does not scale well enough for the age of the Web, despite its success in earlier eras.
|
||
|
||
## Instant Messaging Buddy Lists
|
||
|
||
Buddy lists for instant messengers follow the logic of petname systems
|
||
quite closely, though all the security properties are discarded in current
|
||
implementations. Each entity gets a globally unique id, rooted in the
|
||
domain name of the messaging service, which fills the role of "key". A
|
||
weak effort is made to make the id both human memorable on the one
|
||
hand, and unforgeable, on the other. The id is used as a nickname;
|
||
being sometimes memorable, it works well enough often enough. The same
|
||
id is used as
|
||
a key even though it is easy
|
||
to forge (either through man in the middle attacks or password
|
||
attacks).
|
||
The important point is that, once the user puts a petname into the
|
||
buddy list, all references to the id are represented using the petname:
|
||
you
|
||
can connect to the entity using the petname, and when the entity
|
||
connects to you, the petname displays.
|
||
|
||
Buddy lists are so intuitive,
|
||
people easily learn how to use them
|
||
with neither instruction nor documentation. An instant messenger that
|
||
used true keys, true nicknames, and enforced good security properties
|
||
would be virtually indistinguishable in user-interface presentation
|
||
from
|
||
existing systems; indeed, if one used an object-capability style of
|
||
key, the biggest difference would be the absence of passwords, an
|
||
actual usability improvement. Informal experimentation on a global
|
||
scale in the
|
||
instant messaging arena suggests the petname architecture embodied in
|
||
buddy lists can work well.
|
||
|
||
## CapDesk and Polaris
|
||
|
||
CapDesk \[CapDesk\] and Polaris \[Polaris\] are desktop systems that
|
||
explicitly flesh out a petname system to enforce security
|
||
properties. CapDesk is a point and click desktop that combines
|
||
usability, security, and functionality, to a degree often found
|
||
surprising by those unfamiliar with it. In CapDesk, at
|
||
application installation time the
|
||
application proposes a pet text and a pet graphic (the icon for the top
|
||
left corner, and the text in the title bar that is immediately
|
||
adjacent). The user may accept this petname or modify it. Windows
|
||
launched thereafter by the installed application are unforgeably marked
|
||
with the petname. Limited informal experimentation suggested that the
|
||
CapDesk petname system was intuitive and easy to use, like the buddy
|
||
lists.
|
||
|
||
Polaris is a derivative of
|
||
CapDesk that defends the Windows
|
||
operating system against several interesting classes of attack. Polaris
|
||
uses pet texts similar to the CapDesk pet texts for marking the
|
||
windows. Polaris was used in a larger set of pilot programs than
|
||
CapDesk ever experienced.
|
||
One result of the pilots that proved a pleasant surprise was that
|
||
people were aware of and sensitive to the petname markings. This
|
||
supports the hope that petnames could indeed strongly impact phishing.
|
||
|
||
## Domain Names
|
||
|
||
The DNS system is perhaps the most widely used naming architecture in
|
||
the world. There are a couple of ways of viewing DNS from a petname
|
||
perspective. The most clarifying view is perhaps the view of the domain
|
||
name as both key and
|
||
nickname rolled into one -- a unique nickname that must try to support
|
||
security
|
||
properties. One powerful way to describe DNS is to say that DNS strives
|
||
to make keys that are memorable. In other words, it is a direct
|
||
violation of Zooko's triangle. And that is why mimicry is possible. *Mimicry is an emergent
|
||
property of the violation of Zooko's
|
||
triangle.* Mimicry emerges as
|
||
the system grows to large scale. DNS is the leading example of the
|
||
problem.
|
||
|
||
Several of the other examples
|
||
here treat the domain name as a trusted-path key.
|
||
Domain names are forgeable, but in practice they seem to be resistant
|
||
enough to forgery to be useful. Judging by the
|
||
prevalence of mimicry-based phishing over DNS forgery, it seems clear
|
||
that forgery is not the weakest link in DNS; mimicry is.
|
||
|
||
## Browser Bookmarks
|
||
|
||
Browser bookmarks combined with DNS have a remarkable similarity to a
|
||
petname system...with a fatal flaw. Think of the domain name as both a
|
||
key and a nickname (which is not fatal to a petname system, remember
|
||
the nickname has no security properties, it can be gibberish or
|
||
massively oversubscribed or mimicked without violation...though the
|
||
petname system has a better chance of success if users understand that
|
||
the nickname has no security properties, which is another problem with
|
||
DNS). With this characterization, the bookmark can be thought of as a
|
||
private name that points at the key,
|
||
suggested by the nickname. It sounds like a petname system.
|
||
|
||
However, the bookmark is not a
|
||
petname. Technically, it is a
|
||
*lambda name*. As noted earlier,
|
||
a true petname is a
|
||
*two-way* mapping: any
|
||
reference to the key is represented in the user's world as the petname.
|
||
However, lambda names like bookmarks only map from the private name to
|
||
the key, with no mapping back. When you follow a bookmark to a page, or
|
||
take any other path to get to the page, the domain name is used
|
||
throughout the user interface as the "name" for presentation to the
|
||
user, a fundamental violation of petname logic. Despite this violation,
|
||
bookmarks plus DNS demonstrate how even a partial implementation
|
||
of petnames will deliver some of the defense against
|
||
mimicry that a full petname system can achieve. Any person who uses the
|
||
strategy of reading an email allegedly from PayPal, and then clicking
|
||
on their existing bookmark to go to PayPal rather than following the
|
||
email-embedded link, is getting a security benefit derived from the
|
||
partial implementation of petnames afforded by bookmarks.
|
||
|
||
## OpenPGP and the Web of Trust
|
||
|
||
OpenPGP keys
|
||
carry nicknames with them, and the user can replace nicknames with a
|
||
name of the user's choosing, which would be a petname. When an entity's
|
||
key is observed by the software, the pet name is properly presented,
|
||
i.e., the petname is properly bidirectional.
|
||
The Web of Trust supplies an interesting way to associate these keys
|
||
with purposeful trust, by asking other entities who have vouched for
|
||
the new entity, what they recommend as a trust relationship.
|
||
|
||
With all these features,
|
||
OpenPGP supplies a true petname system
|
||
architecture. OpenPGP has not been tested by phishing attacks yet.
|
||
Since all the basic elements are there, the biggest question would be,
|
||
how must the user interfaces for applications using OpenPGP evolve to
|
||
face such a threat? This is another reminder that user interface is as
|
||
critical for any practical security architecture as is the crypto. A
|
||
security system whose user interface is written by cryptographers is no
|
||
more likely to succeed than a security system whose encryption
|
||
machinery is written by user interface designers.
|
||
|
||
## Waterken Petname Toolbar
|
||
|
||
This toolbar\[Waterken\] is a proposal for web browsers explicitly based
|
||
on petname
|
||
architecture, explicitly to prevent phishing. A certificate plus a
|
||
domain name is treated as the key. The petname is a true two-way
|
||
mapping between key
|
||
and private name. The alleged name for all sites is "untrusted"; there
|
||
is no nickname. For those
|
||
sites to which the user assigns a petname, the toolbar supplies
|
||
markings
|
||
that makes it easy for the user to unambiguously distinguish the site.
|
||
This toolbar has been implemented for Firefox. This author switched to
|
||
FireFox from Mozilla just to be able to use this tool. Limited
|
||
informal experimentation suggests that the petname toolbar is as
|
||
intuitive as the buddy lists and desktop systems described earlier.
|
||
|
||
## Certificate Authorities
|
||
|
||
Certificate
|
||
Authorities create
|
||
nickname/key pairs. The certificates
|
||
share with pgp keys the cryptographic strength to ensure
|
||
unforgeability. The claim is made that, because the nickname is unique
|
||
within the CA, interesting security properties may be ascribed to the
|
||
nickname. Petnames are not included in the scheme. It looks a fair bit
|
||
like DNS, with the CA root playing the role of the DNS root servers.
|
||
|
||
How do CA-based
|
||
systems fair against mimicry? The similarity to DNS is certainly
|
||
suspicious. A generous author
|
||
might just say, CA defense against mimicry is controversial in theory
|
||
and untested in practice. A less generous author would probably say no
|
||
more, since such an author would still desire people who
|
||
think that CAs are beneficial to read the rest of the paper.\
|
||
|
||
## Trustbar
|
||
|
||
The trustbar \[trustbar\] is a CA-based
|
||
browser system that
|
||
allows user construction of petnames, including both pet text and pet
|
||
graphics, for the certified entity. In the 0.1 Mozilla
|
||
implementation, the distinction between a nickname (based on the cert)
|
||
and the petname is implied by the popup of a dialog box when the cert
|
||
is first encountered and no petname has yet been assigned. The petname
|
||
and the key are not quite fully bidirectional: the key is properly
|
||
represented by the petname in user interactions, but the petname cannot
|
||
be used to get to the key. This is just a quibble, however. The
|
||
Trustbar implements a petname system. It has, however, a big change
|
||
from a simple petname system: the inclusion of a
|
||
CA
|
||
in
|
||
the mix. Does this help
|
||
or hinder?
|
||
|
||
In the presence of the popular
|
||
"Just click Ok" mantra for certs, adding a CA
|
||
to the system may introduce new vulnerabilities. Two CA-based
|
||
attack examples: "We here at Verisign are upgrading our root key.
|
||
Please
|
||
follow the link and click Ok." Alternatively, "We here at Paypal have
|
||
fallen
|
||
into a legal dispute with Entrust. We are using a new CA that is every
|
||
bit as trustworthy. Please follow the link and click Ok." Brief
|
||
informal experimentation with the author's 83-year-old mother-in-law
|
||
suggests that an email asserting Paypal has changed domain names is
|
||
easily recognized as an attack. However, email asserting a cert has
|
||
changed is
|
||
viewed as a foolish demand impeding progress -- just click OK.
|
||
|
||
As noted earlier, user
|
||
interface design is every bit as important to
|
||
security as the strength of the keys. Simply stripping the trustbar
|
||
tool of the inevitable plethora of CA-related dialog boxes would
|
||
significantly improve usability, increasing the chances that real human
|
||
beings would tolerate it; all the security properties of a
|
||
petname system without CAs would remain intact. The Trustbar itself
|
||
pops dialogs at the user (sometimes several in a row, if the entity
|
||
maintaining a web site decides to use different certs for different
|
||
pages, as discovered during the author's experiments). Private
|
||
correspondence
|
||
with the designers of the trustbar suggest that evolution in a
|
||
direction reducing the frequency and annoyance of the dialogs is a
|
||
possibility.
|
||
|
||
How well will the current implementation of the trustbar work in
|
||
practice? Only
|
||
experimentation can tell.
|
||
|
||
## Pet Name Markup Language
|
||
|
||
PNML is an XML proposal for
|
||
using petname systems ubiquitously. In a
|
||
chat system, if Bob made a reference to Alice in the text he wrote to
|
||
Ted, and if Alice is Bob's petname for a person known to Ted with
|
||
petname Carol, the sent reference to Alice would be converted via the
|
||
magic of computers into a received reference to Carol. It would take
|
||
more effort to build PNML into an existing browser than to
|
||
integrate the Waterken Petname Toolbar, but the results
|
||
would be interesting indeed.
|
||
|
||
# Conclusions
|
||
|
||
Many informal experiments with
|
||
systems identified here that use
|
||
parts
|
||
of petname systems
|
||
have
|
||
demonstrated that they can be intuitive and easy to use (Buddy Lists,
|
||
Browser bookmarks, the petname toolbar, and the CapDesk and Polaris
|
||
secure desktops). A user who
|
||
understands his petname system and is alert to the information it
|
||
conveys can be extremely hard to trick using mimicry, making that user
|
||
a difficult target for phishing. Experimentation is required to
|
||
determine how much less vulnerable to phishing the typical user would
|
||
become given a petname system. Experimentation with
|
||
petnames for web browsers does not have to be expensive; both the
|
||
Trustbar and the Waterken
|
||
Petname Toolbar are ready now, both for usage and for further
|
||
experimentation by building variations based on the open-source code.
|
||
|
||
# Implementation Notes/Requirements
|
||
|
||
Following are key features
|
||
of a petname system. If an
|
||
implementation of a naming system for an application does not include
|
||
these properties, it is not fully following the logic of petnames:
|
||
|
||
- The key must be resistant
|
||
enough to forgery to survive in the
|
||
context of the application threat model.
|
||
- There can be at most one
|
||
petname per key per user per
|
||
application.\
|
||
- There can be at most one key
|
||
per petname (per user per
|
||
application).
|
||
- In the application user
|
||
interface, all references to the key are
|
||
represented by the petname.
|
||
- The user must be able to
|
||
assign a private petname to any key.
|
||
- The petname must be assigned
|
||
to the key only by explicit user
|
||
action.
|
||
- The user must be able to
|
||
repeatedly edit the petname of any key.
|
||
- The user interface shall
|
||
assist the user in assuring that two
|
||
petnames are not similar enough to enable mimicry, to the extent
|
||
necessitated by the complexity of the application context in which the
|
||
petnames are selected and manipulated. If the number of petnames needed
|
||
by the application is small and they are easily remembered, no
|
||
assistance may be required. If the number of petnames is large, and/or
|
||
difficult to remember and/or likely to be similar, and the resultant
|
||
forms of mimicry, accidental or intentional, leads to vulnerability
|
||
inside the threat model, assistance is required.
|
||
- Nicknames and alleged names
|
||
must be unambiguously visually
|
||
distinct from petnames.
|
||
- Nicknames are optional.
|
||
|
||
# Glossary
|
||
|
||
**Petname
|
||
System:** a naming system in
|
||
which, for each
|
||
individual entity recognized by another entity, three interlocking
|
||
names solve Zooko's Triangle. The three elements are the key
|
||
(global
|
||
and secure), the nickname (global and memorable), and the petname
|
||
(secure and memorable).
|
||
|
||
**Petname:**
|
||
This term has three distinct but related
|
||
usages in the literature on petnames. Sometimes it is used as a
|
||
shorthand for referring to the petname system as a whole. Sometimes it
|
||
is used as a direct reference to the naming element that is secure,
|
||
memorable, and private to the individual who refers to another
|
||
entity; this is the
|
||
meaning used throughout this paper. Sometimes "petname" is used to
|
||
refer to the textual component of a
|
||
petname (which may have graphical elements as well). In
|
||
contexts outside this paper, the reader must
|
||
ascertain the correct interpretation from that context. True petnames
|
||
are 2-way associative: given a petname in a specific application on a
|
||
specific machine, you can acquire the key, and given the key, you can
|
||
acquire the petname. The mapping back from the key to the petname is
|
||
always performed when presenting data to the user. This makes petnames
|
||
different
|
||
from lambda names, which only map from the name to the key.
|
||
|
||
**Pet
|
||
Text:** A petname, or part of
|
||
a petname, that is textual. The
|
||
owner of a machine upon which a petname resides can edit the text to
|
||
modify the petname.
|
||
|
||
**Pet
|
||
Graphic:** A petname, or part
|
||
of a petname, that is graphical.
|
||
|
||
**Pet
|
||
Face:** A petname, or part of
|
||
a petname, that is an image of a
|
||
human face. Pet faces are intended to exploit the special powers of the
|
||
human mind for associating purposeful trust with another human.
|
||
|
||
**Purposeful
|
||
Trust:** The type of
|
||
trust that is needed before a person
|
||
should empower another entity. Examples: "I trust Entity X to
|
||
hold N
|
||
dollars for me, and to perform transfers of that money on my behalf."
|
||
And, "I trust Entity Y to tell me whether or not to buy a car
|
||
from
|
||
Entity Z." We speak of purposeful trust to distinguish it from the many
|
||
other things computer people call "trust" these days. CAs, for
|
||
example supply "trust". But CAs do not tell you if you can trust a
|
||
certificate owner to pick up your garbage, or handle your
|
||
stock portfolio. It's just "trust".
|
||
|
||
**Forgery:**
|
||
An exact duplication
|
||
of a key, such that neither human nor computer can distinguish the
|
||
duplicate from the original.
|
||
|
||
**Mimicry:**
|
||
A duplication of
|
||
a name that is good enough to fool the human being, though not good
|
||
enough to fool a computer. A famous example is
|
||
the name *paypa1*
|
||
(with a "one" as the final character),
|
||
which mimics *paypal*
|
||
quite well.
|
||
The quality of the mimicry of paypal depends on the ambiguity of the
|
||
font in
|
||
use, and the alertness of the human reading the message.
|
||
|
||
**Lambda Names:**
|
||
Names that are memorable, secure, and
|
||
private, but
|
||
which only map from the name to the key: given the lambda name, you can
|
||
retrieve the key, but given the key there is no mapping back to the
|
||
name. Objects in programming languages follow this logic: the
|
||
programmer gives the object a name in the program, but once compiled,
|
||
neither the object nor much of anything else knows how to get back to
|
||
the name (though this is an imperfect example, since debuggers can
|
||
indeed map back). Bookmarks in browsers are another example: the
|
||
bookmark maps to a url, but once you go to the url, the url is
|
||
presented directly to the user, not the name embodied in the bookmark.
|
||
Consequently bookmarks cannot help against phishing.
|
||
|
||
# Acknowledgements
|
||
|
||
Thank you to everyone on the Cap-Talk mailing list for their help,
|
||
especially Ian Grigg for his deliciously relentless criticism, but also
|
||
notably including David Hopwood, Alan Karp, Mark Miller, Tyler Close,
|
||
Trevor Perrin, and Charles Landau, each of whom made comments that
|
||
directly caused modification to the early draft. Thank you also to Amir
|
||
Herzberg for his assistance in understanding the Trustbar.
|
||
|
||
# References
|
||
|
||
\[Zooko\] <http://zooko.com/distnames.html>\
|
||
\[Trustbar\] <http://eprint.iacr.org/2004/155/>
|
||
or [http://www.cs.biu.ac.il/\~herzbea//Papers/ecommerce/spoofing.htm](http://www.cs.biu.ac.il/%7Eherzbea//Papers/ecommerce/spoofing.htm)\
|
||
\[CapDesk\] <http://www.skyhunter.com/marcs/CapDeskSpec.html>
|
||
or <http://www.combex.com/tech/edesk.html>\
|
||
\[Polaris\] <http://www.hpl.hp.com/techreports/2004/HPL-2004-221.html>\
|
||
\[Waterken\] <http://www.waterken.com/user/PetnameTool/>[](http://www.erights.org/elib/capability/pnml.html)\
|