That's gratitude for ya...
Rich Salz
rsalz at datapower.com
Mon Feb 14 13:43:43 EST 2005
The other day I sent Amir Herzberg a private note saying I thought his
new tool was pretty neat, and though I'm sure he's heard it a lot,
thanks. He said nope, nobody else has said it, and I was stunned.
As we all know, but apparently don't fully appreciate, the social
aspects of security don't fall into a binary good/bad evaluation. This
isn't a new key exchange protocol, where it can be objectively
evaluated, ending up with a good/bad decision. It's an open source idea
implemented by competent people, designed to address a real, and
growing, concern on the web.
Instead of saying "neat, thanks" or "have you thought about this?" The
list is filled with lots of carping about trust, wanna-be pundits
referencing Thompson's ACM paper, etc. Sheesh! Why would anyone bother?
Here's a real-world clue: the folks who might really be helped by this,
who might be saved from having their bank account raided, are *already*
trusting click-to-install software. If some of them click and just
trust this, their surfing might be a bit more secure, and their lives
just a bit better.
Why would mozilla embed this? If they came here, to the putative
experts, for an evaluation, they'd leave thinking Amir and company just
invented Rot-13. It's not that. It's also not perfect. BFD -- you got
anything better?
/r$
PS: A concrete suggestion for improvement: when showing the user the
CA that certified the target site, include a two-line corporate summary
and a link to their home page.
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list