Re: [TLS] the use cases for GSS-based TLS and the plea for

To: pgut001 at cs.auckland.ac.nz
Subject: Re: [TLS] the use cases for GSS-based TLS and the plea for
From: Martin Rex <Martin.Rex at sap.com>
Date: Fri, 27 Jul 2007 17:51:37 +0200 (MEST)
Cc: tls at ietf.org
In-reply-to: <20070728032525.ziq6kvl6mk0sk0kg@webmail.cs.auckland.ac.nz> from "pgut001@cs.auckland.ac.nz" at Jul 28, 7 03:25:25 am
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com

pgut001 at cs.auckland.ac.nz wrote:
> 
> Jeffrey Altman <jaltman at secure-endpoints.com> writes:
> > Martin Rex wrote:
> >> If Public Key technology was more along the line of the original
> >> models of SSH and PGP, it would likely be used much more often.
> > You might want to read Alma Whitten's paper "Why Johnny Can't
> > Encrypt?".  Its a usability study that explains why PGP is not usable
> > for common folks.
> 
> If required I can add a shopping-list of other usability studies looking at
> why PKI in general is not usable for common folks.  There's a summary in the
> slides at http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf, and a
> really long analysis (100-odd pages total, although it covers lots of other
> areas as well) at
> http://www.cs.auckland.ac.nz/~pgut001/pubs/man_usability.pdf.
> 
> (Note that I'm not saying ditch PKI-based auth altogether, keep it if you
> want, but don't insist on making it a mandatory option in TLS if it doesn't
> work to protect users).

Joe Average also can not set up most things on his Windows PC,
but for the simpler tasks, people can help each other.
With PGP/SSH that has been possible and works fine.

A few years ago I tried to use S/Mime to have someone who had
S/Mime (but not PGP) configured send me stuff in an encrypted
fashion via Email.

I spent an hour until I gave up.  All implementations of S/Mime-capable
MUAs are so horribly broken that even someone with a technical
understanding runs into brick walls everywhere.

None of the MUAs (Outlook&Netscape Navigator) offered me to generate
a self-signed S/Mime capable certificate.
Trying to use existing or newly generated PKI-Credentials (which work
just fine with SSL and GSS-API) proved to be impossible because of the
braindead MUAs (it could be that it wasn't the MUAs fault but a
braindead S/Mime spec that was causing the headaches).

One of the problems with PKI that the technology is often
contorted to push CA business models.  And the other problem
is that it has overloaded "PK credentials" with bloat of the "policy"
category far beyond reason and is causing serious usability,
supportability and interoperability problems for everyone
who starts trying to use the technology for himself.

-Martin

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] the use cases for GSS-based TLS and the plea for
  - From: pgut001

References:
- Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
  - From: pgut001

Prev by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
Next by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
Previous by thread: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
Next by thread: Re: [TLS] the use cases for GSS-based TLS and the plea for
Index(es):
- Date
- Thread

Re: [TLS] the use cases for GSS-based TLS and the plea for

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.