Lets face it, the whole WiFi connection thing is junk and it is a part of the network that is not in a place where the IETF usually acts - the UI.
Well, that is fine because the IETF is part of ISOC and do you know what else just became a part of ISOC? The Online Trust Alliance. And they are all about security, trust and UI.
I think that we maybe should have a talk about this with some ISOC folk because it is definitely an area where maybe we need a bit of 'joined up standards making'. There are parts of this problem that lie in CABForum space, OTA space and IETF space.
I presume that there will be ISOC people there. We should talk about what parts of the problem should lie where. I am not happy with the fact that the WiFi alliance has still not provided a secure user experience after all this time and obviously sees no need for one.
This issue is becoming a very serious political issue and has been the reason that I have been making trips to D.C. recently to speak to members of Congress and their staff. With Congress gridlocked, the range of legislation they can get through is small, the only thing that people can agree on is the need for better cyber security. Do people want to have that conversation under the ISOC umbrella or do I have to use congressional staffers to jackhammer the obvious into people's management chains?
Yes, the WiFi thing is a problem. And yes we need to fix it. Maybe get round a whiteboard with some beers. Think outside the box and this problem solves itself: have a mechanism for the access points to say 'ietf-legacy is also me' and the client can upgrade. But that is just one detail and we won't solve the user's problem if all we do is solve each problem as it presents itself, taking three years each. Lets just design something that does not stink and to do that we have to admit some of the reasons that Security Usability remains miserable.
The big problem that I see with the Security Usability folk is that many think it fine to say, 'users can't understand security indicators' so we don't do them. This is wrong for several reasons.
1) We spend an inordinate amount of time telling users they they should take care online but not how to make themselves safe. A product that refuses to even let the user see the information that would allow an expert to make that determination is a bad product.
So that is the first thing to realize. If the research tells you that your product stinks. Don't you dare use that research to say that the problem is impossible. Because your bosses-bosses-boss might just end up in a hearing next to me and he might just end up agreeing with me.
2) If we can't give useful advice now, we have to work out how to change the protocol so that we can in future. Users cannot understand a Certificate Transparency log or a PKIX cert chain. But they might just be able to intuit that the older a certificate is, the more likely it is that they might understand it. Hence my proposal for a 'First Issued' aka 'Member Since' extension for certs.
3) The alternative is allowing certain large Internet services to turn parts of the net into gated communities. Having obstructed (or demolished) all the infrastructures that could provide some security for users against the attacks THEY care about (identity theft, not mass surveillance) they will stick to the big names they know and trust to prevent them going into the 'bad' parts of the net.
This is of course the old walled gardens issue but in a different form. Oh and my is the US Republican Party onto that one. If you look at the legislation some members that claim to be anti-regulation have proposed recently, it is a real eye opener.
The people I am meeting with know what I am and what my roles are. The reason they are giving me time of day is because they know that a gated community run by two companies very strongly aligned with their opposition is not in their interest. It is not in our interest either to have security systems to be a part of applications and platforms that are welded in so the user has no choice over them.
Microsoft recognizes this, that is why there is an API for anti-virus to plug into and you can choose to use the Microsoft one or a different one.