nationwide interception of Facebook & webmail logincredentials in Tunisia

[Nicholas Bohm]

On 07/02/2011 10:43, Brian Morrison wrote:
> On Sun, 6 Feb 2011 19:25:52 +0000
> Ian Batten <igb at batten.eu.org> wrote:
>
>> You and I know the difference between trusting a certificate and  
>> trusting anything signed by that certificate, but most people
>> don't. Encouraging end users to manipulate their certificate store is
>> not likely to be a happy story.
> Can anyone think of a way to make this work on a grand scale for people
> that are not clued up on what certificates are, what they can do, what
> they are often used for and why they are necessary?
>
> I find that most people I speak to in the pub struggle to understand
> much of this at all, they can just about grasp that they should be
> looking for a padlock symbol when they are banking or shopping online
> but try to delve any deeper into their knowledge and one gets a blank
> stare.
>
> Essentially, all the institutions in our lives that once we trusted
> because we didn't know enough about them to be able to see where the
> holes were have now become well known enough that we are aware that
> much they do is not properly overseen and that often they do not have
> our interests at heart. And even if they do something wrongly and we
> suffer financial impact because of that, then our chances of redress as
> an individual are negligible.
>
> Not the foundation for much trust at all I'd say.

I think certificates have made it all much harder to understand.

I find it relatively straightforward to consider trusting a signature
because I can use a verification key to assure me that it was made by a
signature key that I have reasons for trusting.  Once you get into
relying on assurances from third parties, or chains of third parties, My
Eyes Glaze Over.  PKI is too far beyond intuitive common sense to be
likely ever to catch on.

Nicholas
-- 
Contact and PGP key here <http://www.ernest.net/contact/index.htm>