Crypto and UI issues

James A. Donald jamesd at echeque.com
Sun Dec 18 00:12:11 EST 2005


    --
"James A. Donald"
> > Let us imagine that SSH had certified keys.  Well, 
> > certifying a key is bound to be complicated, and 
> > things are bound to go wrong, and the name that you 
> > bind it to is bound to be somewhat shifty.

Ben Laurie
> I don't see why that would happen all that much,

It would happen at least as much as it happens with 
https, and it happens enough with https that false 
negatives enormously outweigh true negatives.

"James A. Donald"
> > So pretty soon users are frequently seeing error 
> > dialogs - and so, pretty soon, are always clicking 
> > through them.

Ben Laurie
> Don't really buy this for what is, mostly, a protocol 
> used by experts.

An expert will reflexively click through a dialog that 
is almost certainly a false negative.

> True names of hosts is not a deep problem. Indeed, it 
> is even possible to discover rigorously

but is the host with the true name the entity you have a 
relationship with?

My two most recent logins were with "First National Bank
of Omaha" and "Your IBM Savings plan"

Is "firstnational.com" the same entity as "First 
National Bank of Omaha"?   Is 
"https://lb22.resources.hewitt.com" the same entity as 
"Your IBM Savings plan"

Knowing that I was really and truly connecting to 
lb22.resources.hewitt.com was not in fact much use at 
all. 

    --digsig
         James A. Donald
     6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
     ez1z37eet0cWwVrNwfCbMCbdIdZ54HnhIA7QnrSN
     42IqI9qTDHV9RRUioTTrs3I0W7eyY9zOvBjKSSInB



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list