Five Theses on Security Protocols

Nicolas Williams Nicolas.Williams at oracle.com
Mon Aug 2 17:20:01 EDT 2010


On Mon, Aug 02, 2010 at 11:29:32AM -0400, Adam Fields wrote:
> On Sat, Jul 31, 2010 at 12:32:39PM -0400, Perry E. Metzger wrote:
> [...]
> > 3 Any security system that demands that users be "educated",
> >   i.e. which requires that users make complicated security decisions
> >   during the course of routine work, is doomed to fail.
> [...]
> 
> I would amend this to say "which requires that users make _any_
> security decisions".
> 
> It's useful to have users confirm their intentions, or notify the user
> that a potentially dangerous action is being taken. It is not useful
> to ask them to know (or more likely guess, or even more likely ignore)
> whether any particular action will be harmful or not.

But users have to help you establish the context.  Have you ever been
prompted about invalid certs when navigating to pages where you couldn't
have cared less about the server's ID?  On the web, when does security
matter?  When you fill in a field on a form?  Maybe you're just
submitting an anonymous comment somewhere.  But certainly not just when
making payments.

I believe the user has to be involved somewhat.  The decisions the user
has to make need to be simple, real simple (e.g., never about whether to
accept a defective cert).  But you can't treat the user as a total
ignoramus unless you're also willing to severely constrain what the user
can do (so that you can then assume that everything the user is doing
requires, say, mutual authentication with peer servers).

Nico
-- 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list