I've been saying it to a lot of people for quite a while, but that's a very nice example: client certificates, OpenID, PGP, and a host of extremely-useful systems like those aren't hard because they're inherently hard. They're hard because their presentations are absolute crap.
Take OpenID for example. I've encountered a bajillion nay-sayers, "it's too complicated" this and "too many steps for the user" that. So what's "sign in with Facebook" if not a better presentation of the exact same idea? And how many people have no problem using it every day?
To have a security revolution, we need to have a security software revolution. The tech exists for the vast majority of problems, we just need to use it.
Agreed. Even server-side, the software is awful - setting up a root-CA-signed certificate chain with the OpenSSL command-line tools (and java's keytool) is an absolute nightmare. Apart from anything else, it's astonishingly difficult to tell when you've got it right, and by extension, it's astonishingly difficult to tell when you've got it subtly (or not so subtly) wrong. This has nothing to do with the principles at play, and everything to do with how the information is presented.
Take OpenID for example. I've encountered a bajillion nay-sayers, "it's too complicated" this and "too many steps for the user" that. So what's "sign in with Facebook" if not a better presentation of the exact same idea? And how many people have no problem using it every day?
To have a security revolution, we need to have a security software revolution. The tech exists for the vast majority of problems, we just need to use it.