Duane wrote:
Ian Grigg wrote:
Duane, this is simply not the case. People use security,
but only when it doesn't interfere. Marketing studies and
our own experience have consistently shown that people will
choose convenience over security every time. So much so
that almost all pure security companies go broke eventually.
(If you look at the examples that succeeded in pure crypto,
they are not security companies, but sellers of franchises.)
But it is the case, lowering the barrier to entry will do one thing,
make it easier for people with scams to get private keys and then the
whole digital identity thing is a waste of time because they won't care
enough to revoke, or even worst trojans get in and they're none the
wiser...
"people with scams to get private keys" ????
Scammers who want keys can get them anytime they want!
The reason that keys are not scarfed up by viruses
and trojans is almost certainly because they are of
no use and are not deployed widely enough to be
interesting. Also, scammers can generate bona fide
keys with strong chains of authenticity as fast as
they need them.
There is no chance that a "strong" identity system such
as envisaged by client or S/MIME certs will ever slow
down scammers, whether we are talking about spam,
phishing, hyips, ponzis, or bogus issuers.
Almost all scams ignore the crypto because both
the scammer and the scammee both agree that it is
irrelevant. (For some time now, trojans and viruses
have been scarfing up passwords and user details
for banking sites. This has been going on for a long
time, but it's only now starting to reach the mainstream
awareness - so much so that I have no clue how prevalent
it is. If scammers want keys, they could go in and get
them, there is only the mildly technical challenge of
how they get past the encryption to deal with.)
Until there is really substantial use of crypto - I
mean numbers like 1-10% of normal activity, there is
no real need to worry about scammers even noticing the
crypto. And at the point where we have substantial
numbers of people really being protected, then there
might be some interest in the scammers. But not before.
It is a basic starting point that the whole digital
identity thing *is* a waste of time. Ordinary People just
don't do that, naturally. They establish identity not
by software means, but by context means - by establishing
a series of unbroken messages hopping over different
channels. The only time that people - ordinary people
- use strong identity tokens is when they are forced
to by some higher power. As there is no higher power
at work here, the notion that people want to establish
their identity strongly on the net is a non-starter as
a broad movement.
The p2p world is quite explanatory in this fashion: some
young people go through chat handles like you and I go
through cups of coffee. (Yes, teenagers have been
tracked doing 8 nyms a day.) In order to make themselves
secure, they make themselves untraceable and non-persistent.
Making it easier for these people to generate crypto
keys on the fly and use them and dispose of them does
one thing and one thing alone: it adds encryption to
their traffic, which is an absolute and net good in
security terms.
The same goes for email... The more easily the crypto
infrastructure in place makes it easy to generate
encrypted email, the better. With no downside that
I can see, including using unencrypted keys.
If the keys were unencrypted it would change this
security equation not one iota, because the keys are
disposed of within an hour anyway. There are really
two worlds here: what people use identity for, and
how the infrastructure postulates identity, and the
gulf between them is so severe that there is no real
commonality.
iang
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
