Blame the victim.

Pretty harsh, even for me, but let us find some quotes to support my position:

“We certainly haven’t been able to abandon a vigilant stance in the real world, and I don’t suppose we ever will. So what is it that evokes such reverence in the techie world for real world trust?”

“But the ‘Trusted Adult’ list cannot be the only metric you use, because these positions have been abused, and because sometimes bad people gain positions of authority. That is life, in the real world and online. Any trust list can only be the first step in a cautious ritual that only the person living it can undergo”

“The psycho used the most grossly low-tech mockery of a credential to pose as a member of the ‘Trusted Adult’ list, but it worked – if only the girl had even superficially validated his credentials, she might have had a warning that something might be wrong. She needed to know what to do in such a case, and her lack of knowledge of the tools at her disposal cost her terribly.”

“No matter how good our technology gets, poorly educated users will still be at risk.”

Yep – you squarely put the onus on the violated, rather than the violator every time.

I think that sums up your thoughts on the matter. I think that the optimism, (you *are* an optimist are you not), that the rest of us feel about trust in the online world is that it *should* be better than in the real world. (Yes, I find it surreal to be explaining optimism to you of all people).

Persons who violate trust try to control the information that their “mark” is exposed to – one of the really great things that the internet and computers in general are good at is providing information quickly and at the personal request of someone. It is easy to validate on-line certificates, the reason people don’t always do it is that they do not understand the concept as well as the tools. Those of you in the Identity business should make it easy and effective to make sure that no one ends up in a hole suffering at the hands of a psycho in a on-line sense. I suggest you come up with a better strategy than to blame the victim.

Personally I think we as a society need recourse to punish those that violate on-line trust – I would suggest hitting where it huts, in the wallet.

Don.

So the question is, just what are the things and concepts that users must learn for themselves? I’m sorry I don’t have good answers; there are usability folks that are
trying to come up with some. I will say that I don’t think users will have to learn the difference between public and private keys. and that they will not have to learn the definition of “claimant”, and that they will not have to learn what a so-called “root” certificate is, and that they will not have to learn about path discovery and validation, and that they will not have to learn …

The fundamental principle of human engineering applies. Desigh the system such that it is easy for users to do the right thing and difficult to make mistakes. And as far as security is concerned, make it difficult for miscreants to do naughty things.
‘Tis not an easy problem, methinks.

I’ve been ranting about this for years, mostly in the context of electronic voting. If we can simply emulate electronically that which exists in the real world – we’ll have done a good job. Any improvement we can make is gravy.

-dave