Use case 1: 60 year old man wants to access his bank online from his home. He has been using computer for 10 years, but only been using the internet actively for 5, and still requires help from IT for basic issues at work.
Use case 2: 40 year old man wants to use his laptop from starbucks for email. He has used computers for much of his life, but doesn't really understand how it works. He is on the road working 60-80 hours a week. He is taught to VPN in to work, but that is the extent of his understanding of security.
We're not talking about the use case 3: activist in Iran needs to communicate with compatriots. That is a much harder problem for which SSL is insufficient.
How do we set up a sufficiently easy system for use cases 1 and 2? Charging them $1,000 for a 2 day class in security is not going to work in scale, and nobody has yet written a security primer for dummies past the most basic of "don't give people your password and don't use your dog's name."
This is not true. There is no cryptosystem we know of that is more suited to "User Case 3" than TLS. There is a problem with the way activists in Iran are using TLS: to wit, they are trusting Mozilla, Microsoft, Apple, or Google to make decisions about who they trust. But TLS does not require them to do that. They are a point-and-click HOWTO away from not being in that position.
If Iranian activists want to trust Google for their sensitive email, all they have to do is track down Google's authentic certificate (by asking anybody outside of Iran to fetch it) and add it to their browser. Iran does not have the ability to break RSA. All they (apparently) have the ability to do is to con incompetent CAs into making new RSA signatures that some browsers are configured to believe.
Use case 2: 40 year old man wants to use his laptop from starbucks for email. He has used computers for much of his life, but doesn't really understand how it works. He is on the road working 60-80 hours a week. He is taught to VPN in to work, but that is the extent of his understanding of security.
We're not talking about the use case 3: activist in Iran needs to communicate with compatriots. That is a much harder problem for which SSL is insufficient.
How do we set up a sufficiently easy system for use cases 1 and 2? Charging them $1,000 for a 2 day class in security is not going to work in scale, and nobody has yet written a security primer for dummies past the most basic of "don't give people your password and don't use your dog's name."