[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Software for PKI

To: "Peter Gutmann" <pgut001@xxxxxxxxxxxxxxxxx>
Subject: Re: Software for PKI
From: "todd glassey" <todd.glassey@xxxxxxxxxxxxxxxx>
Date: Thu, 8 Nov 2001 10:51:41 -0800
Cc: <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <200111081822.HAA19153@ruru.cs.auckland.ac.nz>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Peter  - responses below

----- Original Message -----
From: "Peter Gutmann" <pgut001@xxxxxxxxxxxxxxxxx>
To: <todd.glassey@xxxxxxxxxxxxxxxx>
Sent: Thursday, November 08, 2001 10:22 AM
Subject: Re: Software for PKI


> "todd glassey" <todd.glassey@xxxxxxxxxxxxxxxx> writes:
> >From: "Peter Gutmann" <pgut001@xxxxxxxxxxxxxxxxx>
> >"Harrington, Chris" <harringtonc@xxxxxxxxxx> writes:
> >>>>indicates that the majority of technical computer users (let alone Joe
> >>>>Sixpack) don't understand PKI and can't do much with it if you hand it
to
> >>>>them
> >>>I am in agreement with that. However, I don't feel that users should
HAVE to
> >>>understand PKI in order to use it.
> >>
> >>Read the paper I referred to ("Why Johnny can't encrypt", Usenix
Security'99,
> >>it's scary reading).  Users weren't asked to understand PKI, they were
asked to
> >>exchange encrypted mail with someone else.  One person out of 12 managed
it.
> >>The others (with access to manuals, online help, etc etc) didn't.  Not a
good
> >>sign, particularly since PGP's laissez-faire key management (and
accompanying
> >>simple UI) is far less complex than any X.509-type system.
> >
> >Thats because the authors of those documents tried to teach the people
PKI.
> >What they should have had was a button on the header that said "ENCRYPT
THIS
> >MAIL" rather than document after document on PKI and its infrastructure.
>
> Uhh, what?  Have you actually *read* the paper?  As I said above, the task
they
> were given was "exchange encrypted mail with someone else", and the docs
they
> were given (PGP manuals) cover just that (I'm sure that if you went to the
PGP
> folks and told them that their manuals were actually attempts to teach PKI
> they'd have to be physically restrained from attacking you).
> The PGP manuals
> (and software) attempt to walk people through exchanging encrypted mail in
the
> easiest manner possible, what the paper found was that people couldn't
grasp
> even that.

No Peter, what the paper found is that the UI and the PGP description of Ted
and Alice and their PKI  process was still too complex for the average
mortal. What it clearly showed is that they, the normal user, didn't want to
know how the PGP PKI worked, or how to go through  N steps to encrypt or
decrypt a letter, they just wanted to know that it did. They wanted a much
simpler manner of using the tool. What they really wanted is a mail-browser
with a button that says "Send this letter encrypted" or "Decrypt this
letter" and a little icon that pops up to tell them that this media is in an
encrypted form that their UI supports and that was something that PGP
ignored in many of its incarnations.

>
> Peter.

Prev by Date: Re: Software for PKI
Next by Date: RE: Software for PKI
Previous by thread: Re: Software for PKI
Next by thread: RE: Software for PKI
Index(es):
- Date
- Thread