Web of Pragmatics: A Comment on Methodology
D. Crocker Brandenburg InternetWorking email@example.com
"Dying is Easy. Comedy is Hard” Edmund Gwenn Components are easy. Systems are hard. Encryption is easy. Security is hard.
Every type of consumer and enterprise system on the Internet has been compromised. Most have been compromised repeatedly and massively. The issue is not that the encryption algorithms have been broken. Ultimately the issue is that using the systems in the real world encourages problematic practices, either in development, operations, or use.
We have had crypto-based mechanisms widely available for nearly three decades, yet general uptakebeyond very narrow uses remains terrible. That is, although transaction-base use of encryption happens everyday on the Internet, it is really only for preventing wiretapping. Users continue not to employ object-based confidentiality tools nor to understand and use certificates. The primary means of assessing trust on the Internet is the vendor’s sending you a text message and your feeding the received code back to them. Equivalent validation by the vendor to satisfy the user remains entirely ad hoc and highly error prone.
The Rebooting the Web of Trust initiative is in its third year. While there is considerable activity, what is the demonstrable progress? How much closer are we to meaningful and widespread use of better validations mechanism? I’ll suggest the answers are, unfortunately, pretty much none and pretty much not very.
Successful Internet efforts gain momentum quickly, by resonating with a critical set of actors, including developers, operators and users. The right developers, the right operators and the right users. Who qualifies? Those in a position to make the progress happen. Getting the basic technical work done is typically the easy part. More importantly these actors can sell the benefits to a growing community. While some technological breakthroughs sell themselves, most need to start with a clear and pragmatic sense of adopters and users. However most exercises to describe them are idealistic and, therefore, ultimately doomed.
The RWOT effort needs to coalesce around some based and well-researched UI/UX models for end-users, but also for operators, so that there are obvious and compelling value propositions and a realistic ability for achieving them. Obvious and compelling to essential decision-makers and to those pesky end users. Assumptions that a wonderful new system will displace an existing, popular one are almost always a non-starter.
Formulate simple statements about benefits and usability. And note I said ‘well-researched’. You (and I) are not part of a representative sample. Only after this is formulated should there be talk of the technical details.
Unless and until we have unified goal, with a basis for knowing that it is compelling to adopters and users, as well as targeting a plausible set of platforms, we will instead continue to have excellent technical develops that are a random walk through trust space, where successes will be accidental.