[Cryptography] bad advice, was New SSL/TLS certs

[John Levine]

It appears that Kent Borg <kentborg at borg.org> said:
>* How could fusion be easier? One key reason is because we are allowed 
>to train the operators of the power plants! But there is an Accepted 
>Truth that we are not allowed to teach the user anything! Not even 
>cautionary tales along the lines of /Little Red Ridinghood/, because 
>that would be blaming the user.

No, that's not the reason. Endless failures have told us that trying
to train users just does not work. Remember that we are strange, we
are all engineers of various types, and we think like engineers. Most
people think in other ways, and if you tell people to do something
that seems arbitrary and counterintuitive, they won't, no matter how
many times you tell them and in how much detail you explain why it's
important.

I've pointed out many times that applying experience from the regular
world to the Internet doesn't work very well. For example, in the
regular world, banks have marble columns and mahogany counters and
big steel vaults. If a building looks like that, the chances are very
high that it really is a bank or something like a bank. But on the
Internet, random teenagers in Moldova can make web sites that look
just like the Bank of America. We're giving advice along the lines of
saying to look carefully at the marble columns and see if they are a
little crooked or the chisel marks are too regular which means it
might be fake marble. Good luck with that.

R's,
John