[133499] in cryptography@c2.net mail archive
Re: once more, with feeling.
daemon@ATHENA.MIT.EDU (Darren J Moffat)
Thu Sep 18 19:41:44 2008
Date: Thu, 18 Sep 2008 10:19:22 +0100
From: Darren J Moffat <Darren.Moffat@Sun.COM>
In-reply-to: <76E93BC3-9E2D-4E1E-8B3E-5B3048EE06F0@webweaving.org>
To: Dirk-Willem van Gulik <dirkx@webweaving.org>
Cc: cryptography@metzdowd.com
Dirk-Willem van Gulik wrote:
> > ... discussion on CA/cert acceptance hurdles in the UI ....
>
> I am just wondering if we need a dose of PGP-style reality here.
>
> We're really seeing 3 or 4 levels of SSL/TLS happening here - and whilst
> they all appear use the same technology - the assurances, UI, operational
> regimen, 'investment' and user expectations are way different:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I seriously doubt that even a single digit percentage of end users out
on the internet know anything about the different types of certificates
used in SSL/TLS and what they mean. I know none of my family (other
than my wife: but given she worked for a large CA doing authentication
and verification) knows what SSL really means never mind what the
different types of cert are supposed to indicate and what to do about
them, yet they buy stuff on the internet. It doesn't mean they are
ignorant it is just the normal case.
> So my take is that it is pretty much impossible to get the UI to do
> the right thing - until it has this information* - and even then
> you have a fair chunk of education left to do :).
Even if you got the UI to do "the right thing" it still doesn't mean
anything real about trust all it really means is how much money was
invested in getting the cert and setting up the "correct" information
about the "company identity" behind it.
--
Darren J Moffat
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
