[Cryptography] "Trust in digital certificate ecosystem eroding"
Bill Frantz
frantz at pwpconsult.com
Mon May 4 10:25:30 EDT 2015
I think it is quite frequent that we engineers both over
estimate and under estimate the abilities of our users. We
expect them to think like engineers, which only works for a
small minority of them. When they don't think like engineers, we
assume they can't make security decisions, even though they have
been making security decisions in real life ever since childhood.
In real life, if I go to a URL to read something that has been
posted, I really don't care about authentication or secrecy. If
I get a techie security dialog, I'll click through because I am
going to apply the same filters to that information that I apply
to information on this list, and all of the other lists I read.
I will use the same technique for the cute kitten pictures.
I will be more concerned if I am about to send my credit card,
but I have protection for those transactions, so security
dialogs aren't a real concern.
BTW, I don't do online banking. :-)
We, as engineers, need to present security information to our
users in a way that is meaningful to them. They might be more
concerned about a revoked certificate than about an expired one,
just as they might be about a driver's license. They might want
to know the chain of trust they are depending on, but we don't
tell them either of these things. If we show them the MITM
certificates, they will be in a much better position to judge
how much trust to place in the connection. If we show them the
convoluted trust chain, the organizations depending on those
chains may decide to make the users decision easier by cleaning
up their acts. And enough users will look at this information in
the same way they check businesses with the chamber of commerce
and friends living in the community.
Cheers - Bill
--------------------------------------------------------------
Bill Frantz | There are now so many exceptions to the
408-356-8506 | Fourth Amendment that it operates only by
www.pwpconsult.com | accident. - William Hugh Murray
More information about the cryptography
mailing list