ietf
[Top] [All Lists]

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 09:56:40
On 9/6/2013 5:51 AM, Jorge Amodio wrote:

IMHO. There is no amount of engineering that can fix stupid people doing
stupid things... on both sides of the stupid line.


Correct. Within the IETF, the most serious example of stupidity is any line of analysis that considers end-users to be stupid or lazy, rather than treating them as system components with various pragmatic constraints, just like any other system component.

So the real challenge is for us to be clear about the pragmatics when we talk about end-users. Here the real problem is that the pragmatics are only superficially understood, even by the usability (HCI, UXD, UCE, UCD...) experts.

That points to a second serious challenge, namely that we can't know very well what will work for end-users and what won't.

The model that I've described for some years is that the best user design cognitive processing models -- processing limits, memory limits, attention limits, etc. -- about end-users suggest reasonable theories for /starting/ designs, but never ensure good /final/ designs. That requires testing.

At this summer's SOUPS conference I floated this summary past a variety of senior Usable Security folks during one of the sessions and folks generally nodded in agreement.

In other words, the IETF needs to assume that we don't know what will work for end users and we need to therefore focus more on processing by end /systems/ rather than end /users/.

We also need to avoid the 'then a miracle happens' faith that end system designers will magically figure out the best user interface design for security, since they have failed at that for the last 25 years; they'll eventually succeed but they haven't, so far.

d/


--
Dave Crocker
Brandenburg InternetWorking
bbiw.net

<Prev in Thread] Current Thread [Next in Thread>