Tyler, we allow the user to select a logo or icon, so this is a local identifier, just like your petnames... Indeed, the site could also suggest the logo or present a logo certified by some authority, but this is only for convenience
Are you sure it's just a convenience with no safety implications? The analysis presented in my paper concluded that this pathway enables phishing attacks. Do you have a counter-argument?
Therefore, after reading your paper, it appears to me to be a subset of our proposals. Of course, you may object to our other proposals e.g. the use of logos as a better (imho) identification mechanism.
The interesting thing about subsets is that they engender entirely different use models. A car with fins is not a car that swims. The use model is what we're interested in.
After reading your paper, my conclusion is that your proposal would end up being used exactly as the current PKI is, but with bitmaps instead of text strings as the site identifiers. I doubt this will have any impact on phishing attacks. The resulting system would still suffer from name conflation. The site identifier is still doing double-duty as the trust relationship identifier [1].
Tyler
[1] For a in-depth study of name conflation see the previously linked to paper at:
http://www.waterken.com/dev/YURL/Name/
-- The web-calculus is the union of REST and capability-based security. http://www.waterken.com/dev/Web/ _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
