what is killing PKI?

[Robert J. Hansen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 10/4/12 10:59 AM, Mark H. Wood wrote:
> Billions of people have learned to use banks and checkbooks at
> least somewhat securely.  I think one difference here is that one
> is taught from an early age and *expected* to learn their proper
> use.

I have made this analogy before, but --

Imagine there is a new technology.  Call it "Grumpelfnord."
Grumpelfnord technology lets you talk to the dead and with people who
are in far-away places.  Those people who understand grumpelfnord are
seen as possessing almost magical powers.  The world can be divided
into two categories: the ones who know grumpelfnord, and the ones who
don't.  Grumpelfnord is tightly correlated with economic prosperity,
health, and life happiness.  The bad news is that learning
grumpelfnord requires upwards of ten years of intensive, continuous
training by subject matter experts specializing in grumpelfnord.
Everyone agrees that mastery of grumpelfnord is absolutely essential
to our modern society and economy, but people tend to view it as
broccoli: sure, other people should learn and practice grumpelfnord,
but each individual person says they can get by without it.

You can easily substitute "security awareness" for grumpelfnord.  All
you have to do is change what the technology lets you do -- the rest
of the paragraph stands as-is.  Everyone knows security awareness is
essential, but everyone wants somebody else to learn it.

Grumpelfnord technology is real, by the by.  It's called literacy.
Literacy lets us learn from authors who have been dead for thousands
of years, and opens up the world to us via letters, missives and
email.  Literacy is essential to modern society, and is so important
that most Western countries give children ten years or more of
constant practice in it (in the form of compulsory schooling).  And
despite the fact we invest so much in teaching people how to read, in
America the average adult American reads under two books per year.

I don't see there being any quick, easy or cheap solutions to the
problem of how to get people to be more security-aware.  I think
things will only change once computer literacy gets taught in the
public-school curriculum, and treated with the same seriousness that
normal literacy is.  And even then, I think that as soon as people
leave public schools they will willingly and cheerfully let their
computer literacy skills atrophy, just like we tend to let our
conventional literacy skills atrophy.

This is, of course, just speculation.  I have no basis for believing
this beyond my own meandering experience.

Now, if you'll pardon me, there's a copy of Xenophon's _Anabasis_ that
I've been neglecting for far, far too long.  It's high time I re-read
it.  :)

-----BEGIN PGP SIGNATURE-----

iFYEAREIAAYFAlBtqZgACgkQI4Br5da5jhAsvQDgtE8/21dRZAaQQoJhPa2a8IUV
kMY2pD1VNS7zZQDbB66XlRSOy8mPh2sLx4ZFYfGm3rz+/bk4l9+XJg==
=N8nW
-----END PGP SIGNATURE-----