[Cryptography] "Trust in digital certificate ecosystem eroding"

Cat Okita cat at reptiles.org
Wed May 6 17:47:30 EDT 2015


On Mon, 4 May 2015, Bill Frantz wrote:
> We, as engineers, need to present security information to our users in a way 
> that is meaningful to them. They might be more concerned about a revoked 
> certificate than about an expired one, just as they might be about a driver's 
> license. They might want to know the chain of trust they are depending on, 
> but we don't tell them either of these things. If we show them the MITM 
> certificates, they will be in a much better position to judge how much trust 
> to place in the connection. If we show them the convoluted trust chain, the 
> organizations depending on those chains may decide to make the users decision 
> easier by cleaning up their acts. And enough users will look at this 
> information in the same way they check businesses with the chamber of 
> commerce and friends living in the community.

Why should the user care about any of that?  What we -should- be presenting
is something with the equivalent clarity of "Look, there are cars rushing
by my face, -and- the light is red -- perhaps I shouldn't walk across the
road", rather than "you have a blindfold on, and there are some noises
that suggest that you might be able to cross the road in some direction,
but we're going to presume that you already know what they mean, and what's
the best way to actually proceed".

In order to make good (or even tolerable) decisions about acceptable
risk, you have to have enough context to have the faintest clue what sort
of risks you're actually looking at (see also:  "I have a system that
totally works for the stock market!").

I don't have any answers for the 'best' way to approach this, but providing
more technical detail in the absence of well understood grounds for 
evaluating said detail definitely isn't it.

cheers!
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet.  This is the defining metaphor of my life right now."


More information about the cryptography mailing list