Gervase Markham wrote:
Ian G wrote:
There may be support for this statement,
but I've never been able to find its scientific
basis, in cryptography, user design, nor in
economics. In particular, the last 10 years
of experience only bear it out to the extent
that users were denied the chance to make
a choice. So it may well be that the reason
they are not in a position to correctly judge
relative levels of risk is because they are
not permitted to do so.
Let's try and find an analogy. Users choose banks to deal with. One
criteria they could potentially use in choosing a bank is what
percentage of customers lose money through some sort of fraud (in a
situation where the bank disclaims responsibility).
Now a user could try and find and collect statistics on which banks
tend to disclaim responsibility in fraud cases, and which didn't, and
on which banks tended to be targets of fraud, and which don't. But
they don't do that. They choose a bank account based on the free
Walkman and pen.
Not a bad analogy. The vision of creating
the CA as an analogue to the Bank was
something that inspired the early implementors
of the PKI (and scared the banks no end).
Hence, they also spent a lot of time writing
legislation and getting it passed (the "Utah
model").
So you might say that we can make the
case that CAs are like banks and MF is
like the central bank, and the users are
told just like with banks that they are all
safe. (That's why they don't bother to
collect statistics.)
This analogy holds quite well!
Unfortunately, there is no good basis
in economics for the case that the user
cannot be trusted to choose a good bank.
Let me skip a few hundred books and
theses and put it in these terms:
If you had to ask the head of the Bundesbank
whether he is best equipped to tell users
where to safely bank, he would say:
Absolutely!
But if you asked the head of the Federal
Reserve the same question, he would say
Absolutely Not!
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
