IETF Logo Mail Archive

Re: [http-auth] [saag] re-call for IETF http-auth BoF

Nico Williams <nico@cryptonector.com> Mon, 06 June 2011 23:32 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBF941F0C50 for <http-auth@ietfa.amsl.com>; Mon, 6 Jun 2011 16:32:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dLtavsMlS3Il for <http-auth@ietfa.amsl.com>; Mon, 6 Jun 2011 16:32:46 -0700 (PDT)
Received: from homiemail-a25.g.dreamhost.com (caiajhbdccac.dreamhost.com [208.97.132.202]) by ietfa.amsl.com (Postfix) with ESMTP id 33FF01F0C4F for <http-auth@ietf.org>; Mon, 6 Jun 2011 16:32:46 -0700 (PDT)
Received: from homiemail-a25.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a25.g.dreamhost.com (Postfix) with ESMTP id 0DD5C678063 for <http-auth@ietf.org>; Mon, 6 Jun 2011 16:32:46 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=yFeFLegCwWdxSUZ/j759jq5LtcHSQY+uxKtbv8graIoI UqLhGd06q5opkMteWeHL5XbRaOG5voxUteIy6V/P7hWczYa0rUHOL2VReWNVTS4j cT7S2coH7vP6oiO11+ORAFhNLwWJ43jNvEYMG5uGjq9iEAYYXDrUkvAKlyLkPlc=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=WHMQNQVQUT7m8K9Abf+cGOWkuks=; b=XCKoqLbxV+V GGrnhUyJhmHp/yQVscg21zfH758JHwUzepAOwY2SoL8MhBWA6gfE2AKGJYfqyXNT nusMU3cahBMQynp2gag3PBNh8ki0lI4+tiZxiD+Mof03V0VaZjvsf5fTa8IIDA6/ 52Dqj1SJiydMf0h7vH1V0yj80rzAH81o=
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a25.g.dreamhost.com (Postfix) with ESMTPSA id E883F678062 for <http-auth@ietf.org>; Mon, 6 Jun 2011 16:32:45 -0700 (PDT)
Received: by pzk5 with SMTP id 5so2405283pzk.31 for <http-auth@ietf.org>; Mon, 06 Jun 2011 16:32:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.20.137 with SMTP id n9mr2178038pbe.121.1307403165618; Mon, 06 Jun 2011 16:32:45 -0700 (PDT)
Received: by 10.68.50.39 with HTTP; Mon, 6 Jun 2011 16:32:45 -0700 (PDT)
In-Reply-To: <4DED55C5.1010306@extendedsubset.com>
References: <878vtgfbs1.fsf@bluewind.rcis.aist.go.jp> <A89D85D0-00AB-4F21-8841-6707E9CDCFC4@gmx.net> <BANLkTind5rg-tOZJ+B2ocD_s=9_-rufH5Q@mail.gmail.com> <4DED55C5.1010306@extendedsubset.com>
Date: Mon, 06 Jun 2011 18:32:45 -0500
Message-ID: <BANLkTi=OCAJ268zgW0-4omr_8hYTcq9QhA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Marsh Ray <marsh@extendedsubset.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: http-auth@ietf.org
Subject: Re: [http-auth] [saag] re-call for IETF http-auth BoF
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jun 2011 23:32:47 -0000

On Mon, Jun 6, 2011 at 5:33 PM, Marsh Ray <marsh@extendedsubset.com> wrote:
> On 06/06/2011 04:44 PM, Nico Williams wrote:
>>
>>  But I'm afraid
>> that the appearance of success will be enough to staunch progress in
>> any other areas, so it may be a now-or-never situation for any
>> alternatives other than JavaScript crypto APIs.
>
> Don't worry about it, they're not going to work even that well.

I know they won't work.  That's not my fear.  My fear is that they
will seem to be enough of an improvement over the current mess that we
declare victory and go home, leaving us with a serious failure.

> They wouldn't have stopped the government of Tunisia from MitMing Facebook
> and inserting Javascript to modify the behavior of the page. They wouldn't
> have stopped the government of Syria from using a BlueCoat to perform SSL
> MitM on Facebook with a bogus self-signed cert either.

Right.

> Both governments were arresting and shooting their citizens and hacking
> their Facebook credentials. Interestingly, Tunisia controls a trusted root
> CA but didn't bother to use it. Syria doesn't control a widely trusted CA,
> but doesn't seem to need it either.
>
> Sooner or later, people will tire of security theater. We can just try to
> have the best options available when they do.

Having them available means having implementations and deployments of
code done.  That's also the hardest part.

Nico
--

v2.23.0 | Report a Bug | By Email