[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

user overrides

At 04:36 PM 4/5/97 -0500, Marc Branchaud wrote:
>Subject: Re: Certificate Cancellation Notices (CCN) 

>A verification engine could present the user with a message like "Unable
>to validate this cert online, but the last time you validated it was on
>YYYY/MM/DD_HH:MM:SS and the result was X."  The user could then decide if
>he should accept/reject the cert anyway or wait until he can get online

That's an interesting suggestion, Marc.  For things like FTP proxies, there's 
no user and no chance for this, but for applications with a user interface, 
this is probably exactly what the user would want. ...it's like letting the 
user who is driving the application (e-mail, browser, ...) manually extend a 
cert's validity interval and therefore act like a super-issuer.

Of course, this brings up a chronic sore point of authentication:  that the 
end user almost never wants it.  Authentication either lets work proceed or 
stops it.  So, if you can turn off the security checks, you get more work 
done, fewer hassles, ....  Which will a user do -- turn security on or off?

I wonder if our NSA list members could tell horror stories of such user 
behavior when it really matters, as opposed to just with Internet e-mail....

 - Carl

|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |

Follow-Ups: References: