On Mon, May 05, 2008 at 11:46:49AM +1000, James A. Donald wrote: > Thor Lancelot Simon wrote: > >And, in fact, most VPN software of any type fails this test. My concern > >is that an excessive focus on "how hard is it to set this thing up?" can > >seriously obscure the important second half of the question "and if you > >set it up in the easiest possible way, is it safe?" > > If there is a wrong way to do it, the end user will do it wrong.
No. Your claim sounds plausible because it's a much, much stronger form of a claim which almost always _is_ true: "If there is a wrong way to do it, _some_ end users will do it wrong." But that is not the same claim as "If there is a wrong way to do it, _most_ end users will do it wrong", a claim which usually seems to be made because someone who understood cryptography but not human factors just decided that the problem he didn't know how to solve wasn't important because he didn't know how to solve it. The fact that that mistake (in essence, assuming "it is necessary that most users will get it wrong" instead of "it is possible that most users will get it wrong) is not pointed out when it is, so often, made, is, indeed, the typical excuse for security software not bothering to supply a good user interface such that most of the time, most users get it right. That in no way means that such a user interface is not desirable, any more than low standards in the area mean that it is not possible. I believe that those who supply security products have a responsibility to consider the knowledge, experience, and tendencies of their likely users to the greatest extent to which they're able, and supply products which will function properly _as users are likely to apply them_. I believe that not considering those questions at all is irresponsible and in some cases much worse than that. Pretending that the questions don't exist is _definitely_ worse than irresponsible; I've quit jobs when asked to behave that way, in the past, and I'd probably do so again. Thor --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]