forked from cheng/wallet
699bf5a2ac
to the new cool style imitating other successful open software movements. But all my navbars are the same navbar. The point of the new style is to make information readily available. We will want multiple button bars in the navbar, and possibly a related materials sidebar. Or perhaps simply link pages. We also need to change the introductory paragraph in every page to the abstract style.
958 lines
42 KiB
Markdown
958 lines
42 KiB
Markdown
---
|
||
title: An Introduction to Petname Systems
|
||
# notmine
|
||
sidebar: true
|
||
...
|
||
|
||
::: {style="text-align: center;"}
|
||
by
|
||
Marc Stiegler, Feb 2005, copyright under the MIT X License\
|
||
updated June 2010\
|
||
:::
|
||
|
||
# Abstract
|
||
|
||
Zooko's Triangle \[Zooko\] argues
|
||
that names cannot be global, secure, and memorable, all at the same
|
||
time. Domain names are an example: they are global, and memorable, but
|
||
as the rapid rise of phishing demonstrates, they are not secure.
|
||
|
||
Though no single name can have
|
||
all three properties, the *petname*
|
||
*system*
|
||
does indeed embody all three properties. Informal
|
||
experiments with petname-like systems suggest that petnames can be both
|
||
intuitive and effective. Experimental implementations already exist for
|
||
simple
|
||
extensions to existing browsers that could alleviate (possibly
|
||
dramatically) the problems with phishing. As phishers gain
|
||
sophistication, it seems compelling to experiment with petname systems
|
||
as part of the solution.
|
||
|
||
# Basic Petname Layout
|
||
|
||
Below, we have Zooko's Triangle
|
||
overlaid with a petname system:
|
||
|
||
![](./zooko-triangle.gif)
|
||
|
||
For the purposes of this document, we actually use an
|
||
alternate rendering of the key points of Zooko's Triangle. The
|
||
points
|
||
of the triangle are:
|
||
|
||
- Memorable: this means
|
||
that a human being has a chance of
|
||
remembering the name. Memorable names pass the "moving bus test": if
|
||
you see the name on the side of a bus as it drives past you, you should
|
||
be able to remember the name long enough to use it when you get home.
|
||
- Global: this means the name
|
||
is publicly available, and indeed the entity to whom the name is
|
||
attached is eager to give it to you. A key goal of marketing and
|
||
advertising is to capture memorable names in such a fashion that the
|
||
memorable name is globally locked to a particular entity.
|
||
- Securely Unique: This is
|
||
means that the name cannot be *forged*
|
||
or *mimicked*.
|
||
A name can be forged
|
||
if one can
|
||
manufacture an exact duplicate of the name such that neither man nor
|
||
machine can tell the difference. A name can be mimicked
|
||
if
|
||
one can make a name similar enough to fool the human being. In general,
|
||
phishing depends on mimicry, not forgery. This difference becomes
|
||
crucial later in the discussion.
|
||
|
||
Each name set consists of three
|
||
elements: a *key*
|
||
that is global and securely unique (but not necessarily memorable); a *nickname*
|
||
that is global and memorable (but not at all unique) , and a *petname*
|
||
that is securely unique and memorable (but private, not global):
|
||
|
||
- **Keys** lie at the heart of the security properties
|
||
of the petname system. Nicknames and petnames exist to make it easy for
|
||
human beings to manipulate keys. The security of the
|
||
system can be no stronger than the unforgeability of the keys.
|
||
Self-authenticating public/private key pairs make excellent keys since
|
||
they have strong
|
||
unforgeability properties. But there are other ways of achieving
|
||
unforgeability. A trusted path can also work well as the key: the full
|
||
pathname to a file on a specific computer is
|
||
also unforgeable (or at least, as unforgeable as the designation of the
|
||
specific computer, which can be quite strong in some cases). It does
|
||
not make any difference in a petname system whether a key can be
|
||
mimicked: keys are handled only by the computer, the human being
|
||
handles the keys only indirectly via petnames. For a particular person,
|
||
for a particular application, there is a
|
||
one-to-one mapping between a key and a petname.
|
||
|
||
- **Nicknames**
|
||
can be used to assist in discovery of
|
||
keys, and for help in selecting a petname. Nicknames are chosen by the
|
||
owners of keys in hopes of creating a distinctive, if not
|
||
unique,
|
||
mapping from the memorable nickname to the key. Such nicknames often
|
||
are promulgated throughout the world in
|
||
the hopes of making the nickname stick in the mind as a reference to
|
||
the
|
||
key. Since there are strong incentives to "take ownership" of a
|
||
nickname, even though true ownership is not possible, nicknames are the
|
||
most often misunderstood part of a petname system.
|
||
|
||
In the simple case, a nickname has a one-to-many mapping to
|
||
keys The name John Smith is obviously a
|
||
nickname: there are many John Smiths.Other nicknames
|
||
produce the illusion of being globally unique: the name Marc Stiegler
|
||
appears to be globally unique at the time of this writing. But there is
|
||
no security property in this accident of global uniqueness. The
|
||
uniqueness of the name Marc Stiegler would change quite quickly if,
|
||
through the
|
||
mysterious forces of human whimsy, the name suddenly became desirable.
|
||
Sometimes the desirability of a nickname is not whimsical, but venal.
|
||
It is already desirable for some applications to call
|
||
themselves
|
||
Quicken, for example, and draw windows that request a Quicken password.
|
||
|
||
- **Petnames**
|
||
are our private bidirectional
|
||
references to keys.
|
||
There are many Mark Millers, but there is one specific Mark Miller that
|
||
the
|
||
name means to me, the Mark Miller who
|
||
works with object-capabilities for secure cooperation. "Mark Miller" is
|
||
Mark Miller's nickname; it also
|
||
happens to be my petname for the same individual. My private pet name
|
||
for my wife is not recognizably similar to the public nickname used by
|
||
my wife. In the computer setting, for a specific person with a specific
|
||
application, petnames are unique, each petname refers to exactly one
|
||
key, and each key is represented by exactly one petname. In all places
|
||
in
|
||
the application where the app wants to designate the key, the petname
|
||
is displayed -- which is to say, *a
|
||
true petname is a bidirectional one-to-one mapping to a key*.
|
||
All references to the key by the user interface are represented by
|
||
petname.
|
||
A key cannot have two petnames; if a single key had two petnames, under
|
||
what circumstances would the user interface use petname1 as the
|
||
representation of the key, and under what circumstances would it bring
|
||
up petname2?
|
||
|
||
## More Detail, and Interactions
|
||
|
||
A good example of a nickname management system is Google. Type
|
||
in a name, and Google will return a list that includes all the entities
|
||
Google knows, to which the name refers. Google
|
||
makes a mapping between these nicknames and their keys (if we think
|
||
of the url of a page as a trusted-path-style key, which will be
|
||
discussed later). Often
|
||
enough to be interesting, the first item in the list will be the one
|
||
you wanted. But it fails often enough, and endless pages of other
|
||
choices appear often enough, to never leave us in doubt that these
|
||
identifiers
|
||
are not unique mappings to single keys. As is already true in the
|
||
current world, in a world filled with petname
|
||
systems, a key goal of marketing would be to get your nickname listed
|
||
at the top of the Google rankings for that nickname.
|
||
|
||
A single key may map to multiple nicknames. The entity that comes up
|
||
first in a Google search for "Marc Stiegler" is an entity who proposes
|
||
the
|
||
nickname "marcs" for himself in many forums. However, to assess the
|
||
security
|
||
properties of a petname system, this is irrelevant.
|
||
|
||
Nicknames are conveniences that may serve as good starting points
|
||
for petnames. If I send
|
||
you my key and my nickname, often my nickname (which I normally will
|
||
have chosen to
|
||
be reasonably rare in the world) will work great as your petname. But
|
||
do not confuse the nickname-as-proposal with the
|
||
petname-as-decided. Never in a true petname system is
|
||
the nickname presented or employed as if it were a petname.
|
||
|
||
*Alleged names*
|
||
are similar enough to nicknames to be worth
|
||
distinguishing. An alleged name is the name for an entity proposed by a
|
||
third party, typically in an introduction. This can also be useful as a
|
||
starting place for picking a petname. Alleged names, like nicknames,
|
||
are usually memorable, often global, and never securely unique. Alleged
|
||
names are often based on nicknames, though this is unreliable enough,
|
||
if one really cares about the nickname then one really needs to ask the
|
||
entity holding the key, not the introducer.
|
||
|
||
In action, keys and alleged names
|
||
tend to be transferred together. We
|
||
refer henceforth to such key/alleged-name pairs as *referrals.*
|
||
|
||
It is crucial not to confuse
|
||
private petnames with global nicknames
|
||
that temporarily happen to have a unique mapping to a key.
|
||
Experience to date suggests that the word "petname" is attractive,
|
||
leading people to desire to use it. People can thence easily fall into
|
||
the trap of referring to momentarily
|
||
unique nicknames as "petnames". This error then leads them inevitably
|
||
to draw fatally confused conclusions about the possibility of petnames
|
||
with global meaning. The security properties of a petname come from its
|
||
privacy. Public nicknames are trivially vulnerable to
|
||
both forgery and mimicry; they have no security properties.
|
||
|
||
Petnames are guessable. Most people will accept Paypal's nickname as
|
||
the petname. This can only impact the security of the
|
||
system if the user interface
|
||
distinguishes the petnames from the nicknames so poorly that the user gets confused.
|
||
|
||
The term "petname" suggests that this name is embodied as text. This
|
||
is
|
||
not necessary; petnames can be graphical as well. Indeed, some of the
|
||
petname systems listed later use petnames that include both *pet
|
||
texts* and *pet graphics.*
|
||
|
||
Petnames must be repeatably editable by the human being so that the set
|
||
of petnames can evolve as the user's set of associations
|
||
grow.
|
||
You might use the petname "Mark Miller" for the one and only Mark
|
||
Miller that you know. But then if you meet another Mark Miller you will
|
||
have to distinguish, possibly by editing the first one: the single
|
||
entry "Mark Miller" may now split into "Mark Miller Capability Guru"
|
||
and "Mark Miller Dentist".
|
||
|
||
Petnames convey power: since the petname is the user representation
|
||
of the key, it is through the petname that the human
|
||
being
|
||
uses the key, communicates with the key owner, and conveys authority to
|
||
the key owner based on the user's *purposeful
|
||
trust*
|
||
relationship with that owner (*purposeful
|
||
trust* is the type of
|
||
trust
|
||
needed to engage in action: I trust (i.e., I am willing to be
|
||
vulnerable to) Entity X to hold N number of
|
||
dollars on my behalf, and to engage in transfers of that money based on
|
||
orders I give).
|
||
|
||
Another way of thinking about the relationship between a key and a
|
||
petname is this. The key is used to authenticate the entity that owns
|
||
the key. The petname is used as a handle upon which to hang the
|
||
trust/reliance/vulnerability data used by the human being to make
|
||
authorization decisions for that entity. If the entity represented by
|
||
the petname My Phone Company asks for my credit card, if the
|
||
justification sounds reasonable, I will release it. If the entity
|
||
represented by the petname Deadbeat Brother (whom I nonetheless trust
|
||
to teach my daughter soccer in the afternoon without supervision -- the
|
||
trust relationship with such a brother is neither positive nor
|
||
negative, it is complex) asks for my credit card, I will not release it
|
||
no matter what the justification.*\
|
||
*
|
||
|
||
*The security
|
||
of a petname system depends on the
|
||
keys to
|
||
prevent forgery, and on the petnames to prevent mimicry.*
|
||
|
||
# Petnames In Action
|
||
|
||
Informal
|
||
experimentation suggests that a petname system is
|
||
much easier to use than to explain (see examples below). We will create
|
||
a single example for this introduction, and give some hint as to the
|
||
wide diversity of variations in the Examples. Suppose I send you Mark
|
||
Miller's OpenPGP pubkey in email. I say, "here is mark miller's
|
||
pubkey."
|
||
I sent you both a key and an alleged
|
||
name
|
||
(mark miller). Implicit in the transmission of the alleged name is the
|
||
proposal that you might want to consider "mark miller" as the petname.
|
||
What you actually choose as a petname depends entirely on your context.
|
||
If you know this particular mark miller in other contexts in other
|
||
applications as "markm", you may choose "markm" as the name referring
|
||
to this key in your list of pubkeys. If you think this might be
|
||
the same mark miller, but are not willing to be vulnerable to me as the
|
||
sole source of such
|
||
powerful mapping, you might use the petname "Marc Stiegler's Mark
|
||
Miller" or "Mark Stiegler's markm". If you perform appropriate
|
||
incantations on the pubkey, you can get the entity's nickname. If this
|
||
pubkey already exists
|
||
in your list, your software shouldn't give you the choice of adding it:
|
||
the software should tell you that you already have this one, and tell
|
||
you the current petname (and perhaps bring up the petname editor so you
|
||
can change the petname if the newly-received reference suggests a
|
||
better name). If you receive a message signed with the private key for
|
||
the markm petname's pubkey, the software should display the
|
||
petname markm. If you send a
|
||
message to mark miller, you should pick the
|
||
encryption key based on the petname.
|
||
|
||
The above example has the
|
||
security properties of a petname system, but OpenPGP systems often do
|
||
not demonstrate the usability properties a petname system
|
||
needs.
|
||
Instant messaging systems with buddy lists demonstrate the usability
|
||
properties, but for reasons beyond the understanding of this author,
|
||
discard all the security properties. See the examples section for more
|
||
details on buddy lists as petname systems.\
|
||
|
||
# Key Issues with Petname Systems
|
||
|
||
Two elements of full-fledged
|
||
petname systems seem to be principle
|
||
sources of controversy. One is, how do I get the keys transferred
|
||
around the system? The other is, "how easily can Darth Vader mimic a
|
||
petname?".
|
||
|
||
## Transferring Keys and Purposeful Trust
|
||
|
||
Transferring keys around the universe is easy; for example, plaster the
|
||
keys on all the web sites in the world that'll let you do so. The hard
|
||
part is transferring a key with an association to purposeful trust. It
|
||
is useless to both PayPal and the phisher who wants your Paypal account
|
||
if you just know Paypal's key; you have to be willing to make yourself
|
||
vulnerable to the entity who
|
||
owns the key to hold your credit card, trusting him to engage in only
|
||
transfers that you specify.
|
||
|
||
The question, "how do I
|
||
transfer a purposeful
|
||
trust association?", is hard to
|
||
answer because there is no simple single answer. Instead, there are a
|
||
vast array of
|
||
answers, each of which works in narrow circumstances. The question
|
||
is made
|
||
even more difficult to answer because the mechanisms by which humans
|
||
determine an appropriate purposeful trust to be associated with an
|
||
entity
|
||
is subtle, complex, powerful, and completely subconscious: the
|
||
question of how you transfer the association can easily slide into a
|
||
hopeless discussion of how to create purposeful trust in the first
|
||
place. Here we outline some general ideas for transferring
|
||
key/purposeful-trust
|
||
mappings, then in the
|
||
Examples
|
||
point out some practical approaches in specific narrow contexts.
|
||
|
||
Answers often start with direct
|
||
physical contact. You get a combination of
|
||
a nickname and a key in a file from your best friend, who says, "this
|
||
Google thing is a great search engine", or "this Consumer Reports site
|
||
will not lead you astray". You stick these referrals in your browser,
|
||
assign petnames,
|
||
and make yourself vulnerable to them for the purposes stated because
|
||
your friend said so.
|
||
Then when the side of the bus says PayPal, you might go and see what
|
||
Google thinks Paypal means. Since a relationship with PayPal is a
|
||
serious vulnerability decision, serious enough so that we're not going
|
||
to jump
|
||
at the first site just because Google said so, we'll ask a few of our
|
||
friends to email referrals to the entities they use for online money.
|
||
If the referrals they send all share the same key as the Google
|
||
key (which is easy to tell, because trying to add each new key/petname
|
||
mapping will
|
||
produce the alert that the key matches something you've already got),
|
||
the
|
||
quality of your willingness to be vulnerable to the key you have
|
||
petnamed PayPal improves.
|
||
This is pretty similar to how
|
||
we all started using PayPal even without the petname system: we jumped
|
||
in when enough of our friends and organizations that we trust for
|
||
recommendations about financial matters concurred. The only difference
|
||
in the petname version of the story is that our friends explicitly gave
|
||
us referrals rather than easily mimicked domain names, and we
|
||
explicitly set a petname (perhaps by just clicking an Accept key when
|
||
the alleged name was proposed as the petname).
|
||
|
||
While a full-fledged, purebred
|
||
petname system could in principle
|
||
supplant the entire DNS system, we have DNS now, and we can use it to
|
||
do some bootstrapping. My ability to type google.com and
|
||
paypal.com is probably adequate to get started.
|
||
|
||
Regardless of how you
|
||
bootstrap, you
|
||
can get referrals by email, thumbdrive, web page, chat, and even by
|
||
telephone.
|
||
|
||
## Converting From Nickname to Petname
|
||
|
||
The other part of the system
|
||
that is impossible to quantify is the
|
||
mimicability of pet names. Let us assume a poorly built petname system
|
||
in the clutches of a clueless user. We have a money transfer site
|
||
on the Web that we have petnamed PayPal. We get an email telling us to
|
||
update our PayPal account, we click the link, and go to a domain that
|
||
has given itself the nickname PayPa1 (for those of you with typically
|
||
broken fonts, that last character, "1", is a one). Our poorly
|
||
built hypothetical petname system
|
||
is so poorly
|
||
built, the nickname is put into the field where the petnames go, with a
|
||
hint of shading or some other easy-to-miss mod to mark the
|
||
fact that
|
||
this is the web site's nickname for
|
||
itself, not our petname for it. The distinction is missed,
|
||
and
|
||
our
|
||
user is phished.
|
||
|
||
The solutions to this problem
|
||
are
|
||
application and context specific,
|
||
though there are some good ideas floating around that seem to have wide
|
||
applicability. In the Waterken Petname Toolbar proposal (see below),
|
||
the alleged name is always "untrusted". It's hard to fail to
|
||
recognize
|
||
that
|
||
this isn't PayPal, though a sufficiently unobservant user might
|
||
completely disregard the petname and nickname information and get
|
||
phished anyway. There is limited informal evidence that users really do
|
||
notice things like this (see below), and so the most cynical of
|
||
skeptics are probably mostly wrong though they are probably slightly
|
||
right: if you send a million phishing emails to each of a million
|
||
users, some day some one will be tired and unobservant and will get
|
||
phished. If sending a trillion emails like this is cheap enough,
|
||
phishing will remain profitable, so part of the solution needs to be
|
||
making a trillion emails ever so slightly expensive. Regardless,
|
||
multiple experiments with multiple
|
||
user interfaces would be a good idea to help develop user interfaces
|
||
that maximize the probability that a tired unobservant user will notice
|
||
a warning.
|
||
|
||
There are a couple of user
|
||
interface issues. The petnames must be unambiguously distinct from
|
||
nicknames. This seems easy to do, through colors, fonts, additional
|
||
text, and separate fields for the nickname as examples of pieces of
|
||
strategy.
|
||
|
||
More difficult is the following
|
||
problem: Petname creation must be
|
||
both painless (or people will reject the whole idea) and reliably
|
||
mimicry-free (it would be a disaster to have both PayPal and PayPa1 as
|
||
petnames!). Is this one of those hopeless tradeoffs that the
|
||
computer security community enjoys throwing in its own face? To the
|
||
author, this
|
||
problem looks solvable; indeed, it seems hard to believe that this
|
||
cannot be solved with some reasonable satisfaction, given the number of
|
||
user interface ideas for this problem floating around. But
|
||
implementations and experiments, will be required to identify minimally
|
||
intrusive, adequately effective solutions.
|
||
|
||
Here are two example ideas
|
||
for petname creation user interface
|
||
that seem generally applicable. First is to compose the default choice
|
||
for the petname out of a combination of contextual information and
|
||
nickname information. Suppose we click on a link to "PayPal" in the
|
||
Consumer Reports site (that is, the site that we have assigned the
|
||
nickname, "Consumer Reports"). This takes us to a new site that
|
||
proposes the nickname "PayPal". The system clearly marks that we do not
|
||
have a petname for this site and proposes "Consumer Reports's PayPal".
|
||
The user can press a button to accept this name, edit it, or, with
|
||
algorithmic chicanery left as an exercise for the reader, press a
|
||
second button that says, "let me use the raw nickname PayPal as the
|
||
petname." This system still depends on the user remembering the
|
||
petnames he has already assigned and noticing at the time of creation
|
||
of the new petname, whether he already has a similar name in his list.
|
||
This by itself is probably enough to protect the PayPal pet name --
|
||
most of us who gave PayPal a petname would have no trouble remembering
|
||
we had done so, and if we saw something that looked like "PayPal", we'd
|
||
notice we were at risk of confusing ourselves if we accepted a similar
|
||
name -- but again, we are dealing with humans, so the process is
|
||
imperfect. To support the human being, we'd want to use a font that was
|
||
as ambiguous as possible during petname creation, mixing up 1 and l and
|
||
I in a hopeless mess,
|
||
so that we could be confident that our petnames looked unique no
|
||
matter what ridiculous font got used later.
|
||
|
||
The second idea is to have a weak algorithm for comparing a candidate
|
||
petname in the act of being accepted to the existing petnames. We
|
||
explicitly call this a *weak*
|
||
algorithm because it can be
|
||
pretty poor. It is quite
|
||
acceptable for the algorithm to pop a list of "similar petnames" that
|
||
is overly extensive, i.e., it is fine to show names that the human
|
||
easily recognizes as distinct. The serious error is to fail to show
|
||
names that
|
||
the human might confuse. Comparing Paypal to Paypa1, a sample algorithm
|
||
might notice that the names are of similar length and have three
|
||
letters in common ("p", "a", and "y"), and say, "that's similar enough
|
||
to worry me, I'm gonna check with the boss." The algorithm for noticing
|
||
similarity between private petnames is under much less pressure to be
|
||
perfect than is the algorithm for a Certificate Authority when deciding
|
||
whether
|
||
to award the name "pawpal" when the name "paypal" already exists. A CA
|
||
might like to prevent mimicry, but to do so must tread a
|
||
difficult line with abolishing huge swaths of namespace to ensure
|
||
similarities don't arise.
|
||
|
||
However it is done, mixing alphabets from different languages into a
|
||
single petname list is ridiculous. These are private petnames. Only one
|
||
person in the whole world needs to read them. Use the user's default
|
||
character
|
||
set, and be done.
|
||
|
||
# Examples, Near Examples, and Comparisons
|
||
|
||
## Physical World Petnames
|
||
|
||
Humans have been using parts of
|
||
petname systems since before the
|
||
invention of the written word. Human faces
|
||
were used as keys. These keys resisted forgery far better than most
|
||
things that pass for security today on computers (except in episodes
|
||
of Mission Impossible, and the occasional Shakespearian comedy like
|
||
12th Night). The referral, "Joe, this is my son Billy,
|
||
he's great with a club," transferred both a key/alleged-name pair and a
|
||
first-order
|
||
purposeful trust recommendation. The recipient of this referral
|
||
typically accepts the alleged name as a petname, though in some cases
|
||
the recipient may instead choose other petnames, such as, "Bob's big
|
||
dumb dufus of a son", which is a strictly private petname.
|
||
|
||
These physical world petname
|
||
systems were sufficiently different
|
||
from computer-based petname systems that it is dangerous to draw too
|
||
many conclusions from them. But the similarities are sufficiently
|
||
intriguing that the author feels compelled to mention them. More
|
||
comprehensive comparison and contrasting of physical petnaming to
|
||
computer-based petnaming is left as an entertainment for the reader.
|
||
|
||
## Trademark Law
|
||
|
||
Trademark law is not a petname
|
||
system. When civilization started
|
||
creating entities that did not have unforgeable faces (like Apple
|
||
Computer), we settled on a legal system that attempted, with fair
|
||
success, to enforce (that is, secure) purpose-unique memorable
|
||
global IDs for small numbers of entities. It is hard to map trademarks
|
||
onto petname systems for comparison, but an attempt seems in order. The
|
||
trademark-purpose pair is the key, made unforgeable by government
|
||
coercion. It
|
||
is important to note that the trademark itself is not the key: Apple
|
||
Computer and Apple Music both used the trademark Apple for decades,
|
||
without conflict, until Apple Computer entered the music business.
|
||
|
||
The trademark by itself is the
|
||
nickname: Apple Computer thinks of itself as "Apple". Petnames are
|
||
absent. Mimicry is prevented by the same
|
||
government action as forgery, and indeed the trademark system makes no
|
||
distinction between forgery and mimicry (which helps explain why the
|
||
distinction is so blurred in most computer security discussions).
|
||
|
||
Trademark law depends on the
|
||
legal system to disambiguate "similar
|
||
purpose". This is expensive, and consequently trademark law can only
|
||
apply to "small" numbers of "big" entities. The name Mark Miller is
|
||
covered by trademark law, but only in explicitly recognizing that all
|
||
people who have that name may use it, i.e., trademark law recognizes
|
||
non-uniqueness in this case. On the Web, the number of entities with
|
||
whom we
|
||
would like to associate trust/vulnerability relationships is extremely
|
||
large; indeed,
|
||
one of the failures of the Web today is that we cannot construct as
|
||
many such associations as we would like. Those relationships span
|
||
multiple legal jurisdictions, further complicating the trademark
|
||
system. Trademarking simply does not scale well enough for the age of the Web, despite its success in earlier eras.
|
||
|
||
## Instant Messaging Buddy Lists
|
||
|
||
Buddy lists for instant messengers follow the logic of petname systems
|
||
quite closely, though all the security properties are discarded in current
|
||
implementations. Each entity gets a globally unique id, rooted in the
|
||
domain name of the messaging service, which fills the role of "key". A
|
||
weak effort is made to make the id both human memorable on the one
|
||
hand, and unforgeable, on the other. The id is used as a nickname;
|
||
being sometimes memorable, it works well enough often enough. The same
|
||
id is used as
|
||
a key even though it is easy
|
||
to forge (either through man in the middle attacks or password
|
||
attacks).
|
||
The important point is that, once the user puts a petname into the
|
||
buddy list, all references to the id are represented using the petname:
|
||
you
|
||
can connect to the entity using the petname, and when the entity
|
||
connects to you, the petname displays.
|
||
|
||
Buddy lists are so intuitive,
|
||
people easily learn how to use them
|
||
with neither instruction nor documentation. An instant messenger that
|
||
used true keys, true nicknames, and enforced good security properties
|
||
would be virtually indistinguishable in user-interface presentation
|
||
from
|
||
existing systems; indeed, if one used an object-capability style of
|
||
key, the biggest difference would be the absence of passwords, an
|
||
actual usability improvement. Informal experimentation on a global
|
||
scale in the
|
||
instant messaging arena suggests the petname architecture embodied in
|
||
buddy lists can work well.
|
||
|
||
## CapDesk and Polaris
|
||
|
||
CapDesk \[CapDesk\] and Polaris \[Polaris\] are desktop systems that
|
||
explicitly flesh out a petname system to enforce security
|
||
properties. CapDesk is a point and click desktop that combines
|
||
usability, security, and functionality, to a degree often found
|
||
surprising by those unfamiliar with it. In CapDesk, at
|
||
application installation time the
|
||
application proposes a pet text and a pet graphic (the icon for the top
|
||
left corner, and the text in the title bar that is immediately
|
||
adjacent). The user may accept this petname or modify it. Windows
|
||
launched thereafter by the installed application are unforgeably marked
|
||
with the petname. Limited informal experimentation suggested that the
|
||
CapDesk petname system was intuitive and easy to use, like the buddy
|
||
lists.
|
||
|
||
Polaris is a derivative of
|
||
CapDesk that defends the Windows
|
||
operating system against several interesting classes of attack. Polaris
|
||
uses pet texts similar to the CapDesk pet texts for marking the
|
||
windows. Polaris was used in a larger set of pilot programs than
|
||
CapDesk ever experienced.
|
||
One result of the pilots that proved a pleasant surprise was that
|
||
people were aware of and sensitive to the petname markings. This
|
||
supports the hope that petnames could indeed strongly impact phishing.
|
||
|
||
## Domain Names
|
||
|
||
The DNS system is perhaps the most widely used naming architecture in
|
||
the world. There are a couple of ways of viewing DNS from a petname
|
||
perspective. The most clarifying view is perhaps the view of the domain
|
||
name as both key and
|
||
nickname rolled into one -- a unique nickname that must try to support
|
||
security
|
||
properties. One powerful way to describe DNS is to say that DNS strives
|
||
to make keys that are memorable. In other words, it is a direct
|
||
violation of Zooko's triangle. And that is why mimicry is possible. *Mimicry is an emergent
|
||
property of the violation of Zooko's
|
||
triangle.* Mimicry emerges as
|
||
the system grows to large scale. DNS is the leading example of the
|
||
problem.
|
||
|
||
Several of the other examples
|
||
here treat the domain name as a trusted-path key.
|
||
Domain names are forgeable, but in practice they seem to be resistant
|
||
enough to forgery to be useful. Judging by the
|
||
prevalence of mimicry-based phishing over DNS forgery, it seems clear
|
||
that forgery is not the weakest link in DNS; mimicry is.
|
||
|
||
## Browser Bookmarks
|
||
|
||
Browser bookmarks combined with DNS have a remarkable similarity to a
|
||
petname system...with a fatal flaw. Think of the domain name as both a
|
||
key and a nickname (which is not fatal to a petname system, remember
|
||
the nickname has no security properties, it can be gibberish or
|
||
massively oversubscribed or mimicked without violation...though the
|
||
petname system has a better chance of success if users understand that
|
||
the nickname has no security properties, which is another problem with
|
||
DNS). With this characterization, the bookmark can be thought of as a
|
||
private name that points at the key,
|
||
suggested by the nickname. It sounds like a petname system.
|
||
|
||
However, the bookmark is not a
|
||
petname. Technically, it is a
|
||
*lambda name*. As noted earlier,
|
||
a true petname is a
|
||
*two-way* mapping: any
|
||
reference to the key is represented in the user's world as the petname.
|
||
However, lambda names like bookmarks only map from the private name to
|
||
the key, with no mapping back. When you follow a bookmark to a page, or
|
||
take any other path to get to the page, the domain name is used
|
||
throughout the user interface as the "name" for presentation to the
|
||
user, a fundamental violation of petname logic. Despite this violation,
|
||
bookmarks plus DNS demonstrate how even a partial implementation
|
||
of petnames will deliver some of the defense against
|
||
mimicry that a full petname system can achieve. Any person who uses the
|
||
strategy of reading an email allegedly from PayPal, and then clicking
|
||
on their existing bookmark to go to PayPal rather than following the
|
||
email-embedded link, is getting a security benefit derived from the
|
||
partial implementation of petnames afforded by bookmarks.
|
||
|
||
## OpenPGP and the Web of Trust
|
||
|
||
OpenPGP keys
|
||
carry nicknames with them, and the user can replace nicknames with a
|
||
name of the user's choosing, which would be a petname. When an entity's
|
||
key is observed by the software, the pet name is properly presented,
|
||
i.e., the petname is properly bidirectional.
|
||
The Web of Trust supplies an interesting way to associate these keys
|
||
with purposeful trust, by asking other entities who have vouched for
|
||
the new entity, what they recommend as a trust relationship.
|
||
|
||
With all these features,
|
||
OpenPGP supplies a true petname system
|
||
architecture. OpenPGP has not been tested by phishing attacks yet.
|
||
Since all the basic elements are there, the biggest question would be,
|
||
how must the user interfaces for applications using OpenPGP evolve to
|
||
face such a threat? This is another reminder that user interface is as
|
||
critical for any practical security architecture as is the crypto. A
|
||
security system whose user interface is written by cryptographers is no
|
||
more likely to succeed than a security system whose encryption
|
||
machinery is written by user interface designers.
|
||
|
||
## Waterken Petname Toolbar
|
||
|
||
This toolbar\[Waterken\] is a proposal for web browsers explicitly based
|
||
on petname
|
||
architecture, explicitly to prevent phishing. A certificate plus a
|
||
domain name is treated as the key. The petname is a true two-way
|
||
mapping between key
|
||
and private name. The alleged name for all sites is "untrusted"; there
|
||
is no nickname. For those
|
||
sites to which the user assigns a petname, the toolbar supplies
|
||
markings
|
||
that makes it easy for the user to unambiguously distinguish the site.
|
||
This toolbar has been implemented for Firefox. This author switched to
|
||
FireFox from Mozilla just to be able to use this tool. Limited
|
||
informal experimentation suggests that the petname toolbar is as
|
||
intuitive as the buddy lists and desktop systems described earlier.
|
||
|
||
## Certificate Authorities
|
||
|
||
Certificate
|
||
Authorities create
|
||
nickname/key pairs. The certificates
|
||
share with pgp keys the cryptographic strength to ensure
|
||
unforgeability. The claim is made that, because the nickname is unique
|
||
within the CA, interesting security properties may be ascribed to the
|
||
nickname. Petnames are not included in the scheme. It looks a fair bit
|
||
like DNS, with the CA root playing the role of the DNS root servers.
|
||
|
||
How do CA-based
|
||
systems fair against mimicry? The similarity to DNS is certainly
|
||
suspicious. A generous author
|
||
might just say, CA defense against mimicry is controversial in theory
|
||
and untested in practice. A less generous author would probably say no
|
||
more, since such an author would still desire people who
|
||
think that CAs are beneficial to read the rest of the paper.\
|
||
|
||
## Trustbar
|
||
|
||
The trustbar \[trustbar\] is a CA-based
|
||
browser system that
|
||
allows user construction of petnames, including both pet text and pet
|
||
graphics, for the certified entity. In the 0.1 Mozilla
|
||
implementation, the distinction between a nickname (based on the cert)
|
||
and the petname is implied by the popup of a dialog box when the cert
|
||
is first encountered and no petname has yet been assigned. The petname
|
||
and the key are not quite fully bidirectional: the key is properly
|
||
represented by the petname in user interactions, but the petname cannot
|
||
be used to get to the key. This is just a quibble, however. The
|
||
Trustbar implements a petname system. It has, however, a big change
|
||
from a simple petname system: the inclusion of a
|
||
CA
|
||
in
|
||
the mix. Does this help
|
||
or hinder?
|
||
|
||
In the presence of the popular
|
||
"Just click Ok" mantra for certs, adding a CA
|
||
to the system may introduce new vulnerabilities. Two CA-based
|
||
attack examples: "We here at Verisign are upgrading our root key.
|
||
Please
|
||
follow the link and click Ok." Alternatively, "We here at Paypal have
|
||
fallen
|
||
into a legal dispute with Entrust. We are using a new CA that is every
|
||
bit as trustworthy. Please follow the link and click Ok." Brief
|
||
informal experimentation with the author's 83-year-old mother-in-law
|
||
suggests that an email asserting Paypal has changed domain names is
|
||
easily recognized as an attack. However, email asserting a cert has
|
||
changed is
|
||
viewed as a foolish demand impeding progress -- just click OK.
|
||
|
||
As noted earlier, user
|
||
interface design is every bit as important to
|
||
security as the strength of the keys. Simply stripping the trustbar
|
||
tool of the inevitable plethora of CA-related dialog boxes would
|
||
significantly improve usability, increasing the chances that real human
|
||
beings would tolerate it; all the security properties of a
|
||
petname system without CAs would remain intact. The Trustbar itself
|
||
pops dialogs at the user (sometimes several in a row, if the entity
|
||
maintaining a web site decides to use different certs for different
|
||
pages, as discovered during the author's experiments). Private
|
||
correspondence
|
||
with the designers of the trustbar suggest that evolution in a
|
||
direction reducing the frequency and annoyance of the dialogs is a
|
||
possibility.
|
||
|
||
How well will the current implementation of the trustbar work in
|
||
practice? Only
|
||
experimentation can tell.
|
||
|
||
## Pet Name Markup Language
|
||
|
||
PNML is an XML proposal for
|
||
using petname systems ubiquitously. In a
|
||
chat system, if Bob made a reference to Alice in the text he wrote to
|
||
Ted, and if Alice is Bob's petname for a person known to Ted with
|
||
petname Carol, the sent reference to Alice would be converted via the
|
||
magic of computers into a received reference to Carol. It would take
|
||
more effort to build PNML into an existing browser than to
|
||
integrate the Waterken Petname Toolbar, but the results
|
||
would be interesting indeed.
|
||
|
||
# Conclusions
|
||
|
||
Many informal experiments with
|
||
systems identified here that use
|
||
parts
|
||
of petname systems
|
||
have
|
||
demonstrated that they can be intuitive and easy to use (Buddy Lists,
|
||
Browser bookmarks, the petname toolbar, and the CapDesk and Polaris
|
||
secure desktops). A user who
|
||
understands his petname system and is alert to the information it
|
||
conveys can be extremely hard to trick using mimicry, making that user
|
||
a difficult target for phishing. Experimentation is required to
|
||
determine how much less vulnerable to phishing the typical user would
|
||
become given a petname system. Experimentation with
|
||
petnames for web browsers does not have to be expensive; both the
|
||
Trustbar and the Waterken
|
||
Petname Toolbar are ready now, both for usage and for further
|
||
experimentation by building variations based on the open-source code.
|
||
|
||
# Implementation Notes/Requirements
|
||
|
||
Following are key features
|
||
of a petname system. If an
|
||
implementation of a naming system for an application does not include
|
||
these properties, it is not fully following the logic of petnames:
|
||
|
||
- The key must be resistant
|
||
enough to forgery to survive in the
|
||
context of the application threat model.
|
||
- There can be at most one
|
||
petname per key per user per
|
||
application.\
|
||
- There can be at most one key
|
||
per petname (per user per
|
||
application).
|
||
- In the application user
|
||
interface, all references to the key are
|
||
represented by the petname.
|
||
- The user must be able to
|
||
assign a private petname to any key.
|
||
- The petname must be assigned
|
||
to the key only by explicit user
|
||
action.
|
||
- The user must be able to
|
||
repeatedly edit the petname of any key.
|
||
- The user interface shall
|
||
assist the user in assuring that two
|
||
petnames are not similar enough to enable mimicry, to the extent
|
||
necessitated by the complexity of the application context in which the
|
||
petnames are selected and manipulated. If the number of petnames needed
|
||
by the application is small and they are easily remembered, no
|
||
assistance may be required. If the number of petnames is large, and/or
|
||
difficult to remember and/or likely to be similar, and the resultant
|
||
forms of mimicry, accidental or intentional, leads to vulnerability
|
||
inside the threat model, assistance is required.
|
||
- Nicknames and alleged names
|
||
must be unambiguously visually
|
||
distinct from petnames.
|
||
- Nicknames are optional.
|
||
|
||
# Glossary
|
||
|
||
**Petname
|
||
System:** a naming system in
|
||
which, for each
|
||
individual entity recognized by another entity, three interlocking
|
||
names solve Zooko's Triangle. The three elements are the key
|
||
(global
|
||
and secure), the nickname (global and memorable), and the petname
|
||
(secure and memorable).
|
||
|
||
**Petname:**
|
||
This term has three distinct but related
|
||
usages in the literature on petnames. Sometimes it is used as a
|
||
shorthand for referring to the petname system as a whole. Sometimes it
|
||
is used as a direct reference to the naming element that is secure,
|
||
memorable, and private to the individual who refers to another
|
||
entity; this is the
|
||
meaning used throughout this paper. Sometimes "petname" is used to
|
||
refer to the textual component of a
|
||
petname (which may have graphical elements as well). In
|
||
contexts outside this paper, the reader must
|
||
ascertain the correct interpretation from that context. True petnames
|
||
are 2-way associative: given a petname in a specific application on a
|
||
specific machine, you can acquire the key, and given the key, you can
|
||
acquire the petname. The mapping back from the key to the petname is
|
||
always performed when presenting data to the user. This makes petnames
|
||
different
|
||
from lambda names, which only map from the name to the key.
|
||
|
||
**Pet
|
||
Text:** A petname, or part of
|
||
a petname, that is textual. The
|
||
owner of a machine upon which a petname resides can edit the text to
|
||
modify the petname.
|
||
|
||
**Pet
|
||
Graphic:** A petname, or part
|
||
of a petname, that is graphical.
|
||
|
||
**Pet
|
||
Face:** A petname, or part of
|
||
a petname, that is an image of a
|
||
human face. Pet faces are intended to exploit the special powers of the
|
||
human mind for associating purposeful trust with another human.
|
||
|
||
**Purposeful
|
||
Trust:** The type of
|
||
trust that is needed before a person
|
||
should empower another entity. Examples: "I trust Entity X to
|
||
hold N
|
||
dollars for me, and to perform transfers of that money on my behalf."
|
||
And, "I trust Entity Y to tell me whether or not to buy a car
|
||
from
|
||
Entity Z." We speak of purposeful trust to distinguish it from the many
|
||
other things computer people call "trust" these days. CAs, for
|
||
example supply "trust". But CAs do not tell you if you can trust a
|
||
certificate owner to pick up your garbage, or handle your
|
||
stock portfolio. It's just "trust".
|
||
|
||
**Forgery:**
|
||
An exact duplication
|
||
of a key, such that neither human nor computer can distinguish the
|
||
duplicate from the original.
|
||
|
||
**Mimicry:**
|
||
A duplication of
|
||
a name that is good enough to fool the human being, though not good
|
||
enough to fool a computer. A famous example is
|
||
the name *paypa1*
|
||
(with a "one" as the final character),
|
||
which mimics *paypal*
|
||
quite well.
|
||
The quality of the mimicry of paypal depends on the ambiguity of the
|
||
font in
|
||
use, and the alertness of the human reading the message.
|
||
|
||
**Lambda Names:**
|
||
Names that are memorable, secure, and
|
||
private, but
|
||
which only map from the name to the key: given the lambda name, you can
|
||
retrieve the key, but given the key there is no mapping back to the
|
||
name. Objects in programming languages follow this logic: the
|
||
programmer gives the object a name in the program, but once compiled,
|
||
neither the object nor much of anything else knows how to get back to
|
||
the name (though this is an imperfect example, since debuggers can
|
||
indeed map back). Bookmarks in browsers are another example: the
|
||
bookmark maps to a url, but once you go to the url, the url is
|
||
presented directly to the user, not the name embodied in the bookmark.
|
||
Consequently bookmarks cannot help against phishing.
|
||
|
||
# Acknowledgements
|
||
|
||
Thank you to everyone on the Cap-Talk mailing list for their help,
|
||
especially Ian Grigg for his deliciously relentless criticism, but also
|
||
notably including David Hopwood, Alan Karp, Mark Miller, Tyler Close,
|
||
Trevor Perrin, and Charles Landau, each of whom made comments that
|
||
directly caused modification to the early draft. Thank you also to Amir
|
||
Herzberg for his assistance in understanding the Trustbar.
|
||
|
||
# References
|
||
|
||
\[Zooko\] <http://zooko.com/distnames.html>\
|
||
\[Trustbar\] <http://eprint.iacr.org/2004/155/>
|
||
or [http://www.cs.biu.ac.il/\~herzbea//Papers/ecommerce/spoofing.htm](http://www.cs.biu.ac.il/%7Eherzbea//Papers/ecommerce/spoofing.htm)\
|
||
\[CapDesk\] <http://www.skyhunter.com/marcs/CapDeskSpec.html>
|
||
or <http://www.combex.com/tech/edesk.html>\
|
||
\[Polaris\] <http://www.hpl.hp.com/techreports/2004/HPL-2004-221.html>\
|
||
\[Waterken\] <http://www.waterken.com/user/PetnameTool/>[](http://www.erights.org/elib/capability/pnml.html)\
|