[148320] in cryptography@c2.net mail archive
Re: [Cryptography] Explaining PK to grandma
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Thu Nov 28 13:55:22 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <CAMm+Lwj6k0WxXCdfYBh4gjbrud9+dqFNXx2XP84n+7vYUe5rOA@mail.gmail.com>
Date: Thu, 28 Nov 2013 07:30:39 -0500
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: Cryptography <cryptography@metzdowd.com>,
Ralf Senderek <crypto@senderek.ie>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============2714571976486506342==
Content-Type: multipart/alternative; boundary="Apple-Mail=_3380C6DC-A716-41E5-AD9E-14287C4861AD"
--Apple-Mail=_3380C6DC-A716-41E5-AD9E-14287C4861AD
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
On Nov 27, 2013, at 4:39 PM, Phillip Hallam-Baker wrote:
> *But*, there is one thing that may need, no so much "explanation" in =
the sense of conveying a deep understanding, as "training". Somehow, a =
user of secure email has to know how to get a key for themselves; how to =
move that key to different machines;
>=20
> No!
> =20
> All the user needs to know is how to configure their email on a =
different machine. If it takes more than giving the machine the address =
of the account and authorizing the new machine to connect to it then it =
has failed.
I'm not sure what you are saying here. "Authorizing the new machine" is =
just "how to move the key to a different machine" in different words. =
OK, it says it even more broadly than I did, but you can't get *too* =
broad without losing important distinctions. The person undertaking the =
actions has to understand that some actions make the encrypted text =
visible, so are not to be undertaken lightly. If you really use the =
words "authorizing the machine", you're putting the emphasis in the =
wrong place: The machine. Who cares about the machine? What matters =
is what *people* you've implicitly authorized through this action. =
Handing your car keys to someone isn't about the keys - it's about who =
can drive away in your car.
> that they must *not* give that key to anyone else.
>=20
> No! No!
>=20
> =20
> Make the scheme so that Grandma can't give her key to someone else =
without a great deal of effort.
No disagreement on the general principle: Design that system so that =
it's easy to do the right thing and hard to do the wrong thing. But, =
again, you can't remove all choice in the matter. To take an extreme =
example, there must be a way to make the key accessible to heirs - or =
*not* make it accessible to heirs. The holder of the key must have a =
reasonable understanding of what it would mean either way, and a =
straightforward mechanism for making the choice.
A useable system presents useful choices and actions in terms and with =
semantics that are appropriate and meaningful - where "useful", =
"appropriate" and "meaningful" are judged by those who use the system, =
not those who designed it. Perhaps there's a role for a system with =
even fewer choices than I outlined, though personally I find it hard to =
see except in very limited circumstances.
-- Jerry
--Apple-Mail=_3380C6DC-A716-41E5-AD9E-14287C4861AD
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=iso-8859-1
<html><head></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div><div>On Nov 27, 2013, at 4:39 PM, Phillip Hallam-Baker =
wrote:</div><blockquote type=3D"cite"><div dir=3D"ltr"><div =
class=3D"gmail_extra"><div class=3D"gmail_quote"><blockquote =
class=3D"gmail_quote" style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; =
border-left-color: rgb(204, 204, 204); border-left-style: solid; =
padding-left: 1ex; position: static; z-index: auto; "><blockquote =
class=3D"gmail_quote" style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; =
border-left-color: rgb(204, 204, 204); border-left-style: solid; =
padding-left: 1ex; position: static; z-index: auto; ">*But*, there is =
one thing that may need, no so much "explanation" in the sense of =
conveying a deep understanding, as "training". Somehow, a user of =
secure email has to know how to get a key for themselves; how to move =
that key to different machines;</blockquote>
</blockquote><div><br></div><div>No!</div><div> </div><div>All the =
user needs to know is how to configure their email on a different =
machine. If it takes more than giving the machine the address of the =
account and authorizing the new machine to connect to it then it has =
failed.</div></div></div></div></blockquote>I'm not sure what you are =
saying here. "Authorizing the new machine" is just "how to move =
the key to a different machine" in different words. OK, it says it =
even more broadly than I did, but you can't get *too* broad without =
losing important distinctions. The person undertaking the actions =
has to understand that some actions make the encrypted text visible, so =
are not to be undertaken lightly. If you really use the words =
"authorizing the machine", you're putting the emphasis in the wrong =
place: The machine. Who cares about the machine? What =
matters is what *people* you've implicitly authorized through this =
action. Handing your car keys to someone isn't about the keys - =
it's about who can drive away in your car.</div><div><br><blockquote =
type=3D"cite"><div dir=3D"ltr"><div class=3D"gmail_extra"><div =
class=3D"gmail_quote">
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote =
class=3D"gmail_quote" style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; =
border-left-color: rgb(204, 204, 204); border-left-style: solid; =
padding-left: 1ex; position: static; z-index: auto; ">
that they must *not* give that key to anyone else. =
</blockquote></blockquote><div><br></div><div>No! =
No!</div><div><br></div><div> </div><div>Make the scheme so that =
Grandma can't give her key to someone else without a great deal of =
effort.</div></div></div></div></blockquote>No disagreement on the =
general principle: Design that system so that it's easy to do the =
right thing and hard to do the wrong thing. But, again, you can't =
remove all choice in the matter. To take an extreme example, there =
must be a way to make the key accessible to heirs - or *not* make it =
accessible to heirs. The holder of the key must have a reasonable =
understanding of what it would mean either way, and a straightforward =
mechanism for making the choice.</div><div><br></div><div>A useable =
system presents useful choices and actions in terms and with semantics =
that are appropriate and meaningful - where "useful", "appropriate" and =
"meaningful" are judged by those who use the system, not those who =
designed it. Perhaps there's a role for a system with even fewer =
choices than I outlined, though personally I find it hard to see except =
in very limited circumstances.</div><div><div> =
=
=
-- =
Jerry</div><div><br></div></div></body></html>=
--Apple-Mail=_3380C6DC-A716-41E5-AD9E-14287C4861AD--
--===============2714571976486506342==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============2714571976486506342==--
