-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ian G wrote:
| <snip!> | | Do you really think MF should purport to make the | decision that the user should trust 20 different CAs | without a choice? | | Yes, users can remember the brands needed. Huge | numbers of branding studies have shown the user | has a capability to deal with brands. The entire | western commerce system runs on it, and relies | on it to get bread to your door, petrol in your car, | your car itself, and beer at the end of the car | journey. Quick, how many beer brands do you | know and recognised? |
There is a difference between brands of products that you use and have experience with, vs. those that you may simply have no basis for knowing.
With your analogy I know that millions enjoy Guinness; me, I can't get the stuff down! ;-) That's not to say it's bad, which it seems like where your argument is going: recognized brand = good thing(tm). Un-recognized brand = bad thing.
In the Schmoo thing, we both saw the cert details and knew rather quickly that something was afoot because it was *not* Verisign. But I see no way whatsoever that joe6pack on the street (joe6pack being defined as a non-crypto geek) would have the faintest clue or even know why he should care? It's like me taking my car in for service. When the mechanic says I need brake pads, I merely nod and say yes; we don't even bother going through which brand he slaps on there because we both know it would be meaningless to me. The only thing that's likely to get my attention is when he asks "Do you want the $10 or $100 pads?". But when I drive off the lot and my car successfully brakes, I quickly forget the entire brake pad converation, not just the brand. For me it's just not important. Just like most people haven't a clue what that damn padlock is for anyway. Not on their radar. Un-unh. Nope. Not gonna happen.
We the crypto-geek community have to ensure that we give consumers the necessary tools but that doesn't mean we need or should attempt to make them experts. For no matter what clever hack we code, RFC we write, or GUI we display, it boils down to Abe Lincoln's "You can fool all of the people some of the time, some of the people all of the time, but you can't fool all of the people all of the time". We can only address parts of the argument IMO, not the whole thing.
Wren
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Darwin)
iD8DBQFCC4L6A/qR4Uok1vQRAoCaAJkBNHPfFguYWz9NeldvR8z346F2nwCfXpOV QUzaxrL35vCPWs49zqVSNHs= =8m0s -----END PGP SIGNATURE----- _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
