"James A. Donald" <[EMAIL PROTECTED]> writes: >But is what they are doing wrong?
The users? No, not really, in that given the extensive conditioning that they've been subject to, they're doing the logical thing, which is not paying any attention to certificates. That's why I've been taking the (apparently somewhat radical) view that PKI in browsers is a lost cause - apart from a minute segment of hardcore geeks, neither users nor web site admins either understand it or care about it, and no amount of frantic turd polishing will save us any more because it's about ten years too late for that - this approach has been about as effective as "Just say no" has for STD's and drugs. That's why I've been advocating alternative measures like mutual challenge- response authentication, it's definitely still got its problems but it's nothing like the mess we're in at the moment. PKI in browsers has had 10 years to start working and has failed completely, how many more years are we going to keep diligently polishing away before we start looking at alternative approaches? Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
