- From: John C Klensin <john-ietf@jck.com>
- Date: Fri, 17 Dec 2010 06:11:11 -0500
- To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
- cc: smb@cs.columbia.edu, apps-discuss@ietf.org, Common@core3.amsl.com, http-auth@ietf.org, ietf-http-wg@w3.org, kitten@ietf.org, saag@ietf.org, websec@ietf.org
--On Friday, December 17, 2010 6:18 PM +1300 Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > John C Klensin <john-ietf@jck.com> writes: > >> We could round up a collection of UI experts to look at some >> of these things and have them shake their heads and say >> "royal mess you have gotten yourselves into". > > The problem isn't that UI experts haven't looked at this, > there have been a large number of papers published on this > problem over the last decade or so, it's that it's proven > pretty much impossible to get any action taken over it. The > browser approach is "PKI isn't working, so we'll respond with > even more PKI (EV certs) while stridently ignoring any > workable alternatives (TLS-SRP and -PSK)", and there's no > sign that this will ever change. There simply isn't a hammer > big enough to force a change here (or, if there is, no-one's > managed to identify it yet). I perhaps should have said "...yet another collection of UI experts..." and "shake their heads again...". But I don't think we disagree: from my point of view, you are just describing some aspects of what I tried to summarize as "royal mess". I do think there is at least one big enough hammer although I'm not predicting we will get there soon and really don't like seeing protocols designed by a sequence of disaster, legal action, and legislation. And, I am not, for the record, offering an opinion as to whether the approaches you suggest are workable and/or the right answers. john
Received on Friday, 17 December 2010 11:11:50 UTC