[messaging] Value of deniability

Natanael natanael.l at gmail.com
Fri Dec 12 07:12:14 PST 2014


> Usability is about putting user goals first, period.  If your users do
> not need a thing to accomplish their goals, you do not force it on
> them.  Now, your users don't always know what they need, I hear you
> exclaiming.  That's true.  However, if you want to suggest this, it
> can't be your ego saying "me big cryptographer, me tell users what
> really matter", which is frankly most of what I've heard here.  You
> need evidence.  You need field experience.  You need testing.  And
> then you need to explain what you've done to your users so they can
> take it into account.
>
> This isn't (just) about deniability.  This is about the entire process
> of security design and the failure of this community to engage in it,
> as indicated by the continued treatment of deniability as a
> first-class property and the arguments presented for it.

But why are you repeatedly dismissing the value of deniability if usability
is the focus?

If you want to be as constructive as possible, try to help us figure out
what is reasonable to expect from an end user (how much are they willing to
learn before using it for security critical tasks?), and how to build
interfaces and systems that can match those assumptions being made.

IMHO lack of deniability (permanent provable authencity) is the greater
deviation from standard expectations. There's a design philosophy of "least
surprise". It is definitely applicable here. The consequences of
deniability won't be surprising, the consequences of provable authencity
for a lifetime of online activity would be.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141212/988fe0da/attachment.html>


More information about the Messaging mailing list