[cap-talk] More Heresey: ACLs not inherently bad

[James A. Donald]

Raoul Duke wrote:
> tho, different humans have different willingness to deal with
> usability hurdles in the name of security. for example, probably
> mostly nobody really ever bothers to validate ssh fingerprints the
> first time they connect to a server.

Almost no one checks fingerprints when they first connect, but when 
fingerprints change unexpectedly on subsequent connections, SSH gets 
upset, and this is sufficiently unusual as to at least sometimes provoke 
curiosity, unlike PKI where one is routinely redirected to a different 
certificate with a peculiar name, and no warning is generated, nor, if 
there was a warning, would anyone pay attention to such a common event.