Conversation with Dave Piscitello
Hello, everyone... A little while ago I had a conversation with Dave Piscitello of the SSAC and Nick Ashton-Hart. The substance of the conversation was, what could WebWatch do, and/or what could be done in general, to connect consumers to some of the ICANN discussions about security and stability issues. As you know, one of the issues I am trying to confront is how to interest and educate consumers about the work ICANN is doing and what its role in Internet governance is, while trying to represent their interests as best and appropriately as possible. The conversation was to determine if there are studies WebWatch might undertake in the area of consumer protection and domain names. We also talked about some of the work SSAC is doing with the Anti-Phishing Working Group and discussed the possibility of convening some people from these groups in Los Angeles. We're also trying to address questions like, if consumers knew more about things like DNSSEC and signed domains and the like (and their cost), would consumers want to somehow pay to participate in an Internet with more secure domain names? I've also begun talking with Nick about some possibilities for consumer education, that would include creating some consumer-friendly content. Would be happy to hear your comments about this and other security issues. As soon as a public version of the SSAC August report is available we can post it here. Regards, Beau Brendler, Director Consumer Reports WebWatch http://www.consumerwebwatch.org
In my limited experience, I've found that secure, authenticated communications -- over the web, by email, IM, what have you -- are difficult because both sides to the communication need to have a shared understanding and common implementation of the security protocol. Even in my business, dealing lawyer to lawyer and lawyer to client (both situations where you'd think security, confidentiality and trust would demand secure and authenticated communications), I find that most lawyers and clients ask me to *stop* sending them messages with a digital signature...because their blackberry or some other handheld won't read it correctly...or because a webmail app won't read it correctly. So I see a real need to get apps in the hands of users that can handle security in an easy, transparent way and then to educate users about what the technology is, what it means to them, and how to use it. As far as ALAC and ICANN are concerned, I suppose I see the value ALAC could add as pushing information from ICANN security working groups out to the users. Bret
You are of course correct that there is a 'chicken/egg' element to these kinds of discussions. Security would need to be transparent to the end-user to the maximum extent possible and the tools they use. On 6 Aug 2007, at 21:59, Bret Fausett wrote:
In my limited experience, I've found that secure, authenticated communications -- over the web, by email, IM, what have you -- are difficult because both sides to the communication need to have a shared understanding and common implementation of the security protocol. Even in my business, dealing lawyer to lawyer and lawyer to client (both situations where you'd think security, confidentiality and trust would demand secure and authenticated communications), I find that most lawyers and clients ask me to *stop* sending them messages with a digital signature...because their blackberry or some other handheld won't read it correctly...or because a webmail app won't read it correctly. So I see a real need to get apps in the hands of users that can handle security in an easy, transparent way and then to educate users about what the technology is, what it means to them, and how to use it. As far as ALAC and ICANN are concerned, I suppose I see the value ALAC could add as pushing information from ICANN security working groups out to the users.
Bret
_______________________________________________ NA-Discuss mailing list NA-Discuss@atlarge-lists.icann.org http://atlarge-lists.icann.org/mailman/listinfo/na-discuss_atlarge- lists.icann.org --- Draft MoU with ICANN: http://www.icannwiki.org/NA_RALO_MOU
Draft Operating Principles: http://www.icannwiki.org/NA_RALO_OP
Draft Code of Conduct: http://www.icannwiki.org/NARALO_Code_of_Conduct
So I see a real need to get apps in the hands of users that can handle security in an easy, transparent way and then to educate users about what the technology is, what it means to them, and how to use it.
I agree, but this has been a problem for at least a decade; S/MIME has been around that long, most but as you note not all mail clients handle it, and how many people use it? Not many. This is particularly discouraging since S/MIME has been supported for many years in popular programs including Outlook, Outlook Express, and Thunderbird, and the support is good, once you're configured, it's at most one click to sign or validate a message. If after all this time Blackberry doesn't find S/MIME work handling, it shows how little mindshare it's got. Given the long and discouraging history of efforts to get people to use computers more securely, before the ALAC jumps down this rathole I would want to understand why we think we could succeed where so many have failed in the past. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor "More Wiener schnitzel, please", said Tom, revealingly.
Consumer education is indeed a difficult and frustrating process. My hope would be to focus on the first part of the excerpted comment from Bret: "So I see a real need to get apps in the hands of users that can handle security in an easy, transparent way..." Sometimes this is a better approach, perhaps involving consumers at the "front end," than creating something in isolation, then expecting consumers to learn how to "properly" use it. -----Original Message----- From: John L [mailto:johnl@iecc.com] Sent: Tuesday, August 07, 2007 9:23 AM To: Bret Fausett Cc: Brendler, Beau; NA Discuss Subject: Re: [NA-Discuss] Conversation with Dave Piscitello
So I see a real need to get apps in the hands of users that can handle security in an easy, transparent way and then to educate users about what the technology is, what it means to them, and how to use it.
I agree, but this has been a problem for at least a decade; S/MIME has been around that long, most but as you note not all mail clients handle it, and how many people use it? Not many. This is particularly discouraging since S/MIME has been supported for many years in popular programs including Outlook, Outlook Express, and Thunderbird, and the support is good, once you're configured, it's at most one click to sign or validate a message. If after all this time Blackberry doesn't find S/MIME work handling, it shows how little mindshare it's got. Given the long and discouraging history of efforts to get people to use computers more securely, before the ALAC jumps down this rathole I would want to understand why we think we could succeed where so many have failed in the past. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor "More Wiener schnitzel, please", said Tom, revealingly. *** Scanned
I agree. -Consumer education is indeed a difficult and frustrating process. -Real need to get apps in the hands of users But I think it's something that should become the responsibility of the providers. Both security and responsibility (for filters) should at some point be laid in the hands of the providers. I don't think most end-users are going to understand the aspects of encryption, but I think they will understand if a certain provider has a superior product, and these should be made available. Maybe not as a mandate, but as encouragement. But, I see in my crystal ball that some big provider will eventually face a big class-action and force everyone else to take responsibility. Randy Glass A@L On 8/7/07, Brendler, Beau <Brenbe@consumer.org> wrote:
Consumer education is indeed a difficult and frustrating process.
My hope would be to focus on the first part of the excerpted comment from Bret:
"So I see a real need to get apps in the hands of users that can handle security in an easy, transparent way..."
Sometimes this is a better approach, perhaps involving consumers at the "front end," than creating something in isolation, then expecting consumers to learn how to "properly" use it.
-----Original Message----- From: John L [mailto:johnl@iecc.com] Sent: Tuesday, August 07, 2007 9:23 AM To: Bret Fausett Cc: Brendler, Beau; NA Discuss Subject: Re: [NA-Discuss] Conversation with Dave Piscitello
So I see a real need to get apps in the hands of users that can handle security in an easy, transparent way and then to educate users about what the technology is, what it means to them, and how to use it.
I agree, but this has been a problem for at least a decade; S/MIME has been around that long, most but as you note not all mail clients handle it, and how many people use it? Not many. This is particularly discouraging since S/MIME has been supported for many years in popular programs including Outlook, Outlook Express, and Thunderbird, and the support is good, once you're configured, it's at most one click to sign or validate a message. If after all this time Blackberry doesn't find S/MIME work handling, it shows how little mindshare it's got.
Given the long and discouraging history of efforts to get people to use computers more securely, before the ALAC jumps down this rathole I would
want to understand why we think we could succeed where so many have failed in the past.
Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor "More Wiener schnitzel, please", said Tom, revealingly.
*** Scanned
_______________________________________________ NA-Discuss mailing list NA-Discuss@atlarge-lists.icann.org
http://atlarge-lists.icann.org/mailman/listinfo/na-discuss_atlarge-lists.ica... --- Draft MoU with ICANN: http://www.icannwiki.org/NA_RALO_MOU
Draft Operating Principles: http://www.icannwiki.org/NA_RALO_OP
Draft Code of Conduct: http://www.icannwiki.org/NARALO_Code_of_Conduct
-- ------------------------- AmericaAtLarge.org RJPacific.com DDMF.org
Sometimes this is a better approach, perhaps involving consumers at the "front end," than creating something in isolation, then expecting consumers to learn how to "properly" use it.
Actually, in the case of S/MIME it's not really the consumers' fault. Although using S/MIME is easy enough once you're set up, getting the necessary keys created and installed is daunting, even for those of us with a technical background, and the design of S/MIME doesn't let you make it much easier. That's why recent mail security work has focused on technologies like DKIM that run at the server level and don't require every user to set it up individually. The list of issues tangentially related to ICANN is of unlimited size, but ALAC does not have unlimited attention. (Attention has in the past been more of an issue than money.) I think it would make more sense to pick a smaller number of issues more directly related to ICANN and pay more attention to them. Keeping useful information in WHOIS for the benefit of individual non-registrant users would be a good one to start on. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor "More Wiener schnitzel, please", said Tom, revealingly.
-----Original Message----- From: John L [mailto:johnl@iecc.com] Sent: Tuesday, August 07, 2007 1:05 PM To: Brendler, Beau Cc: Bret Fausett; NA Discuss Subject: RE: [NA-Discuss] Conversation with Dave Piscitello
Sometimes this is a better approach, perhaps involving consumers at the "front end," than creating something in isolation, then expecting consumers to learn how to "properly" use it.
Actually, in the case of S/MIME it's not really the consumers' fault. Although using S/MIME is easy enough once you're set up, getting the necessary keys created and installed is daunting, even for those of us with a technical background, and the design of S/MIME doesn't let you make it much easier. That's why recent mail security work has focused on technologies like DKIM that run at the server level and don't require every user to set it up individually. The list of issues tangentially related to ICANN is of unlimited size, but ALAC does not have unlimited attention. (Attention has in the past been more of an issue than money.) I think it would make more sense to pick a smaller number of issues more directly related to ICANN and pay more attention to them. Keeping useful information in WHOIS for the benefit of individual non-registrant users would be a good one to start on. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor "More Wiener schnitzel, please", said Tom, revealingly. *** Scanned
participants (5)
-
Brendler, Beau -
Bret Fausett -
John L -
Nick Ashton-Hart -
RJGlass | America@Large