Dirk-Willem van Gulik wrote:
 > ... discussion on CA/cert acceptance hurdles in the UI ....

I am just wondering if we need a dose of PGP-style reality here.

We're really seeing 3 or 4 levels of SSL/TLS happening here - and whilst
they all appear use the same technology - the assurances, UI, operational
regimen, 'investment' and user expectations are way different:
I seriously doubt that even a single digit percentage of end users out on the internet know anything about the different types of certificates used in SSL/TLS and what they mean. I know none of my family (other than my wife: but given she worked for a large CA doing authentication and verification) knows what SSL really means never mind what the different types of cert are supposed to indicate and what to do about them, yet they buy stuff on the internet. It doesn't mean they are ignorant it is just the normal case.

So my take is that it is pretty much impossible to get the UI to do
the right thing - until it has this information* - and even then
you have a fair chunk of education left to do :).

Even if you got the UI to do "the right thing" it still doesn't mean anything real about trust all it really means is how much money was invested in getting the cert and setting up the "correct" information about the "company identity" behind it.

Darren J Moffat

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to