Re: [TLS] the use cases for GSS-based TLS and the plea for integrating

To: jaltman at secure-endpoints.com
Subject: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
From: pgut001 at cs.auckland.ac.nz
Date: Sat, 28 Jul 2007 03:25:25 +1200
Cc: tls at ietf.org
In-reply-to: <46AA0CC6.8060707@secure-endpoints.com>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <200707271508.l6RF8I9S018387@fs4113.wdf.sap.corp> <46AA0CC6.8060707@secure-endpoints.com>
User-agent: Internet Messaging Program (IMP) H3 (4.0.1)

Jeffrey Altman <jaltman at secure-endpoints.com> writes:

Martin Rex wrote:

If Public Key technology was more along the line of the original
models of SSH and PGP, it would likely be used much more often.

You might want to read Alma Whitten's paper "Why Johnny Can't
Encrypt?".  Its a usability study that explains why PGP is not usable
for common folks.


If required I can add a shopping-list of other usability studies looking at
why PKI in general is not usable for common folks.  There's a summary in the
slides at http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf, and a
really long analysis (100-odd pages total, although it covers lots of other
areas as well) at
http://www.cs.auckland.ac.nz/~pgut001/pubs/man_usability.pdf.

(Note that I'm not saying ditch PKI-based auth altogether, keep it if you
want, but don't insist on making it a mandatory option in TLS if it doesn't
work to protect users).

Peter.


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] the use cases for GSS-based TLS and the plea for
  - From: Martin Rex

References:
- Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
  - From: Martin Rex
- Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
  - From: Jeffrey Altman

Prev by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
Next by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
Previous by thread: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
Next by thread: Re: [TLS] the use cases for GSS-based TLS and the plea for
Index(es):
- Date
- Thread

Re: [TLS] the use cases for GSS-based TLS and the plea for integrating

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.