Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)

[Barry Leiba <barryleiba@computer.org>]

>>>>>> >>>> I don't think you need to say "a la LinkedIn," and I think it's a
>>>>>> >>>> bad idea to have us link a company's name to a password
>>>>>> >>>> compromise forever in an RFC.  Especially when it's not
>>>>>> >>>> necessary.
...
>>>> >> I think it is: I think it's a very bad thing to disparage specific
>>>> >> companies in our RFCs.
...
>>>> >> this with me (why you think it's
>>>> >> important to leave it there), then the discussion will have happened,
>>>> >> and we can move ahead.
>
> Yet here we still are? :-)

Because I think the discussion needs to continue.  I still don't
understand why you think it's so important to single out LinkedIn,
such that it's worth the damage that having that in an RFC represents.

>> The fact that there's a plethora of examples really speaks to not
>> calling out one company on this,
>
> I re-iterate: At the time of writing this was the poster-child
> example. It still remains one, and a good one for RFC readers.

It was not "the poster child": there have been so many of these
breaches, both before and since, that I see no reason at all to call
out any one instance.

>> as well as that it's not necessary to
>> do so.  We could just say "the many password exposures that have been
>> well documented in the media," for example.
>
> That may be a reasonable comment, but I continue to maintain that
> it is not DISCUSS-worthy. And I think being so shy about this is
> a bad plan actually and we ought if anything be more direct about
> it.

I don't think text such as what I suggest -- text that does not name
specific companies that got hacked -- is being shy.  Actually, I think
it makes a *stronger* statement to say that there have been many, and
that they have made big news worldwide.

> "bad idea" does not mean DISCUSS-worthy, and extending the DISCUSS
> criteria in that way seems very wrong to me.

"Bad idea" in this case means, to me, bad for the IETF.  I think it's
just wrong.

This is not a "pedantic correction" nor a "stylistic issue" -- it is,
to me, an important point.  You and I clearly don't agree on this, so
let's see what other ADs think as they fill out their ballots.

> I think in a case like this it is entirely correct to reference well
> publicised security incidents in the most natural fashion via the name
> of the organisation that experienced the incident. In this case, I
> re-iterate that that incident was I think the most commonly cited one
> at the time of writing. (I can buy that adding a citation for more
> detail would be a good addition though.)

I understand that's what you think.  As I say, we disagree, apparently strongly.

Barry