Consumers don't have anything useful to bring to this table.
Historically the realisation that you need outside Cryptographers (not consumers) if you actually want to do anything novel with cryptography† was slow to arrive.
Even on the Internet, for PGP and SSL there was no real outside cryptographic design input. In SSL's case a few academics looked at the design of SSLv1, broke it and that's why SSLv2 is the first version shipped. Only TLS 1.2 finally had a step where they ask actual cryptographers "Is this secure?" and that step was after the design work was finished. TLS 1.3 (just a few years ago) is the first iteration where they have cryptographers looking at the problem from the outset and the working group rejected things that cryptographers said can't be made to fly.
And TLS 1.3 also reflects something that was effectively impossible last century, rather than just a bad mindset. Today we have reasonably good automated proof systems. An expert mathematician can tell a computer "Given A, B and C are true, is D true?" and have it tell them either that D is necessarily true or that in fact it can't be true because -something- and that helps avoid some goofs. So TLS 1.3 has been proven (in a specific and limited model). You just could not do that with the state of the art in say 1995 even if you'd known you wanted to.
Now, we need to get that same understanding into unwieldy SDOs like ISO, and also into pseudo SDOs like EMVco (the organisation that makes "Chip and pin" and "Contactless payment" work) none of which are really getting the cryptographers in first so far.
† "But what I want to do isn't novel". Cool, use one of the existing secure systems. If you can't, no matter why then you're wrong you did want to do something novel, start at the top.
I don't think that's true about SSL/TLS. SSLv2, the Netscape protocol, was a shitshow, but SSL3, its successor and the basis for TLS, has Paul Kocher's name on the RFC. The mixed MD5/SHA1 construction is apparently Kocher's doing.
If you're claiming that Kocher's involvement in SSLv3 is enough, note that SSLv2 which you called a "shitshow" is the work of Taher Elgamal, who is also a famous cryptographer.
I claim the correct approach isn't "We should hire a cryptographer" although that wouldn't hurt a lot designs, but "We need a lot of cryptographers beating on this". Because of that problem about the easiest person to fool being yourself. That means the outside world needs a good look, and that's one reason the IETF was able to get there first because it's all on a mailing list in public view (well these days it's on GitHub, but if you're allergic that's summarised to the list periodically).
One of the hidden advantages TLS 1.3 has over SSLv2 is that of course today TLS is famous. If you're an academic in the area TLS 1.3 work was potentially a series of high impact journal papers, and thus would do your career good, whereas I can't think even Hellman (who had worked with both Elgamal and Kocher at Stanford) would have had a lot of time for SSL in the 1990s.
Right, so I guess I'm wondering how you reconcile your diagnosis of SSL/TLS needing input from cryptographers with the actual history of TLS. You claim, for instance, that TLS 1.2 was the first instance of the protocol that was actually vetted by cryptographers, which seems clearly not to be the case.
But really that's fair. And it's even possible that the key difference was only ever that we learned along the way how to do this and so any bunch of fools might have developed TLS 1.3 knowing what we did by then, while not even a prolonged public effort could have made SSLv3 good. Perhaps if that's right in ten years every Tom, Dick and Harry will have a high quality cryptographically secure protocol that isn't just TLS...
But I think what I was getting at is that at last TLS 1.2 had a bunch of outside cryptographers critiquing it. It's just that they're too late because it was finished. Some of the things that today are broken in TLS 1.2 weren't discovered years later, they were known (even if not always with a PoC exploit at the time) at roughly the time it was published. Having such critiques arrive during TLS 1.3 development meant the final document only had the problems known and accepted by the group [such as 0RTT is inherently less safe] plus, so far, the Selfie attack. Not bad.
Consumers in this context doesn't literally mean consumers, it means advocates working in the interest of consumers. Advocates who would do things like insist that the cryptography be looked at by independent experts.
Historically the realisation that you need outside Cryptographers (not consumers) if you actually want to do anything novel with cryptography† was slow to arrive.
Even on the Internet, for PGP and SSL there was no real outside cryptographic design input. In SSL's case a few academics looked at the design of SSLv1, broke it and that's why SSLv2 is the first version shipped. Only TLS 1.2 finally had a step where they ask actual cryptographers "Is this secure?" and that step was after the design work was finished. TLS 1.3 (just a few years ago) is the first iteration where they have cryptographers looking at the problem from the outset and the working group rejected things that cryptographers said can't be made to fly.
And TLS 1.3 also reflects something that was effectively impossible last century, rather than just a bad mindset. Today we have reasonably good automated proof systems. An expert mathematician can tell a computer "Given A, B and C are true, is D true?" and have it tell them either that D is necessarily true or that in fact it can't be true because -something- and that helps avoid some goofs. So TLS 1.3 has been proven (in a specific and limited model). You just could not do that with the state of the art in say 1995 even if you'd known you wanted to.
Now, we need to get that same understanding into unwieldy SDOs like ISO, and also into pseudo SDOs like EMVco (the organisation that makes "Chip and pin" and "Contactless payment" work) none of which are really getting the cryptographers in first so far.
† "But what I want to do isn't novel". Cool, use one of the existing secure systems. If you can't, no matter why then you're wrong you did want to do something novel, start at the top.