home -> developer -> YURL -> FAQ

WaterkenTM YURL

Frequently Asked Questions

2003-08-03

Questions

Answers

Can YURLs be deployed today?

Yes, you can deploy the server side of YURL technology alongside existing PKI technology. In this case, your web site will be accessible using either a YURL or a PKI URL.

To get the security advantages of YURLs, the client side of the technology must also be used. Free implementations of the client side are available. Deploying the client side of the protocol can be as simple as installing a library. No changes to the client code are required. A YURL is compatible with existing URL APIs. This feature makes YURL technology well-suited for use in web services.

back

Does a YURL prevent a Man-In-The-Middle (MITM) attack?

Yes, defending against an MITM attack is the defined purpose of a YURL. In an MITM attack, the attacker acts as a middleman between the client and the server, viewing and possibly modifying all communications between them. A YURL is a URL that prevents this type of attack by enforcing the y-property. A YURL scheme typically implements the y-property by including the fingerprint of the server's public key directly in the URL. This technique makes an MITM attack impossible.

back

Does a YURL support key replacement?

Yes, but a YURL does require that you plan for key replacement. The private key corresponding to the public key fingerprint in a YURL should be kept in a safe, offline location. This root private key is only used for signing the public/private key pair deployed in the online server. The deployed public/private key pair can, and should, be replaced at frequent intervals.

Key replacement with YURLs is much like that in the PKI. In the PKI, a CA has a root private key that must be kept secure. The CA private key is only used for signing deployed public/private key pairs. Only the deployed public/private key pairs can be replaced.

back

Is the user expected to recognize the public key fingerprint?

No, a PetName system remembers public key fingerprints for the user. The user can associate a personally chosen petname with a public key fingerprint. The PetName system will automatically recognize YURLs that use that public key fingerprint and display the corresponding petname. The user navigates a YURL web using only the personally chosen petnames, never even seeing the corresponding public key fingerprints.

back

Must the user assign a petname to every visited site?

No, petnames need only be assigned to trusted sites. The purpose of a petname is to allow the user to recognize a trusted site. If the user does not have a trust relationship with a site, a petname need not be assigned.

back

How does the user know that he is not viewing a spoof site?

The user recognizes a trusted site by its petname. If he visits a spoof site, his chosen petname will not be displayed. Thus, he knows the site is not the trusted site.

back

How could print advertising work with YURLs?

Since a YURL contains a cryptographic hash, a YURL is not human memorable. This attribute makes YURLs unsuitable for direct inclusion in print advertising. Online advertising can directly use a YURL with a standard hyperlink. Offline advertising can indirectly use a YURL.

Instead of directly including a YURL in a print advertisement, an advertiser could use a system like AOL keywords. The print advertisement would specify the keyword and the keyword host, for example, "AOL keyword: CNN". The advertisement viewer could visit the advertised site by asking the keyword host for the YURL corresponding to the keyword. In a browser, the GUI for this task might be typing the keyword into a toolbar for AOL keywords.

A keyword system is not unlike the current PKI solution. Instead of .com, .net, .org, etc. the competitors could be AOL, MSN, Yahoo, Google, etc. In a keyword system the competitors are chosen by the marketplace, not by government fiat.

back

top

Copyright 2002 - 2003 Waterken Inc. All rights reserved.

Valid XHTML 1.0! Valid CSS!