Apropos Gerv's strawman question about trying to make OCSP soft fail
better, here is a fairly eloquent article from Bruce Schneier that might
help. I don't always agree with him, but on this article, I am in full
agreement. First and last paras only.
http://threatpost.com/blogs/difficulty-un-authentication-128
In computer security, a lot of effort is spent on the authentication
problem. Whether it’s passwords, secure tokens, secret questions, image
mnemonics, or something else, engineers are continually coming up with
more complicated -- and hopefully more secure -- ways for you to prove
you are who you say you are over the Internet.
[snip]
Designing systems for usability is hard, especially when security is
involved. Almost by definition, making something secure makes it less
usable. Choosing an unauthentication method depends a lot on how the
system is used as well as the threat model. You have to balance
increasing security with pissing the users off, and getting that balance
right takes time and testing, and is much more an art than a science.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
