On 9/6/2013 5:51 AM, Jorge Amodio wrote:
IMHO. There is no amount of engineering that can fix stupid people doing
stupid things... on both sides of the stupid line.
Correct. Within the IETF, the most serious example of stupidity is any
line of analysis that considers end-users to be stupid or lazy, rather
than treating them as system components with various pragmatic
constraints, just like any other system component.
So the real challenge is for us to be clear about the pragmatics when we
talk about end-users. Here the real problem is that the pragmatics are
only superficially understood, even by the usability (HCI, UXD, UCE,
UCD...) experts.
That points to a second serious challenge, namely that we can't know
very well what will work for end-users and what won't.
The model that I've described for some years is that the best user
design cognitive processing models -- processing limits, memory limits,
attention limits, etc. -- about end-users suggest reasonable theories
for /starting/ designs, but never ensure good /final/ designs. That
requires testing.
At this summer's SOUPS conference I floated this summary past a variety
of senior Usable Security folks during one of the sessions and folks
generally nodded in agreement.
In other words, the IETF needs to assume that we don't know what will
work for end users and we need to therefore focus more on processing by
end /systems/ rather than end /users/.
We also need to avoid the 'then a miracle happens' faith that end system
designers will magically figure out the best user interface design for
security, since they have failed at that for the last 25 years; they'll
eventually succeed but they haven't, so far.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net