what is killing PKI?

[Robert J. Hansen]

On 8/26/12 5:37 PM, Stan Tobias wrote:
> In the works cited before (this thread and other discussions),
> one recurring concern could be formulated as: "Why Johnny doesn't
> encrypt his Christmas greetings to his granny?", with an implicit
> assumption/expectation that everybody ought to use cryptography by
> default for any and everything.  I'll concentrate on the encryption only.

Well, speaking just for myself, I try not to make that assumption.  I'm
interested in knowing why Johnny can't encrypt, and then further why
Johnny *doesn't* encrypt.  These are two different questions which have
very different answers.

"Why Johnny can't encrypt" is a human-computer interaction (HCI)
problem.  HCI problems are eminently solvable.  The papers have a lot of
exploration of this problem: see, e.g., "Why Johnny Can't Encrypt",
"Johnny 2", and "Why Johnny Still Can't Encrypt" for three examples of
really good peer-reviewed papers that explore this.

"Why Johnny doesn't encrypt" is a social problem.  Social problems are
notoriously intractable.  See, e.g., Gaw, Felten and Fernandez-Kelly's
paper.  They found that even when people were aware of the dangers they
were facing, knew those dangers were real, had easy access to crypto
software and had been trained in its use, they *still* weren't using
crypto... principally because they didn't want to be seen as paranoid.

I really don't want to rain on people's parades.  A lot of these ideas
of "what the problem is" are deeply interesting.  But until you actually
go out into the world and ask real users the question, and observe
workers in their natural environment, then it's a bunch of discussion
over how many angels can dance on the head of a pin.

Seriously, there have been some really good HCI and social-theory papers
mentioned on this list in the last week.  Grab them and spend an
afternoon reading through them.  I found them to be deeply rewarding:
you might, too.