Thor Lancelot Simon wrote:
And, in fact, most VPN software of any type fails this test.  My concern
is that an excessive focus on "how hard is it to set this thing up?" can
seriously obscure the important second half of the question "and if you
set it up in the easiest possible way, is it safe?"

If there is a wrong way to do it, the end user will do it wrong. Expert cryptographers frequently fail to act correctly on their understanding of cryptography. The end user has no chance - and the chances are still not all that good even if your end user is highly qualified cryptographer.

What users comprehend, and are used to, is you that set up an account with username and password, and an admin blesses the account with appropriate privileges as a result of some out of band communication - which username and password has to be secured, invisibly to the user, against offline and phishing attacks, without requiring any thought or vigilance by the user - see my web page for <http://jim.com/security/how_to_do_VPNs.html> for attacks on the password model, and defenses against those attacks.

This comes naturally to humans, for humans have long relied on shibboleths for security against treachery by outsiders. Thus the computer interface to our clever cryptographic algorithms must resemble as closely as possible the ancient human reliance on shibboleths for security.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to