OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Draft-sstc-sec-consider-03.doc

On Thu, 10 Jan 2002, Hal Lockhart wrote:

> > The "client" is unfortunately a *human*  that just gets a
> > hint that something
> > is not correct but he/she may click "Continue" to ignore.
> > And maybe even select to
> > trust the next time.  This is the problem with ad-hoc PKI as
> > Dug correctly points
> > out.  This is also probably the weakest spot in SAML,
> > assuming that servers
> > are not too easy to hack into.
> This is nonsense. Users get very upset when they get a popup warning about a
> security error.

Really? I remember Ed Felton of Princeton giving a talk a number of years
ago at a Dimacs workshop on Trust Management. In this talk he explained an
experiment where he pointed a user at a particular website and had them
click on a button. That action raised a security violation which popped up
on IE4.0 and the user just clicked it away. Subsequently, the the browser
shut off the users machine.

You're right, people did get very upset. When asked about the popup, most
people said "What popup?".

Ed likened the popup window to "merely a incidental fly on the screen
that was in the way, which the user swatted away".

> We even found it impossible for them to accept a self-signed
> certificate from us by secure means. If it doesn't validate with one of the
> built-in roots, thay won't touch it. This has been discussed repeatedly in
> the PKIX list and in the opinion of some, e.g. Peter Gutmann, it is a major
> reason people buy server certificates from public CAs.

I guess this situation depends on how many "built-in roots" your browser
has, mine came with some 100 of them. Do you find your users actually
delete root certificates they don't know enough to like?


> Hal

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC