Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 06 January 2015 13:47 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87A4A1A6F27; Tue, 6 Jan 2015 05:47:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6uISmGWQQqgb; Tue, 6 Jan 2015 05:47:16 -0800 (PST)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2B681A6F21; Tue, 6 Jan 2015 05:47:15 -0800 (PST)
Received: by mail-lb0-f181.google.com with SMTP id l4so19151949lbv.26; Tue, 06 Jan 2015 05:47:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=uUN8GamlHEW5HnJCl79dlTeJ/O7U6zHxJFWQuY0S0p0=; b=Xtu6stC+/xB6PlN5pcRjLSSW5D85RgOSbFUZoy6cUFm0jkYQ3Lo3QNCYZk09uwVcP8 4WeiEUQw1iNHCgf+A1RLYnyRPzwwFOzGOPMuhyi/EjH7V1yqCHY3TwIeBVvnkkMZ7zts bSmufqHhhtqK9O6JSAR8UN7ffeXgvK9ZHLmUS6OPg1qHhoXzHQzZCpyxRujetM7GVarN ILY7QFQ/8GXEZkEFtFX8olQr06jklHjBzeK4DjkAr9CX1+DToaNPHyb/4oEFbR1bfatZ OoQVFzzZsq4xHaILd1zPJkJbdmLAYkqzWLUhSKTiWcc3zTdWrMcl3qXV4Mhg/hONY8fZ Rvdw==
MIME-Version: 1.0
X-Received: by 10.112.52.229 with SMTP id w5mr86913321lbo.52.1420552034308; Tue, 06 Jan 2015 05:47:14 -0800 (PST)
Received: by 10.112.49.52 with HTTP; Tue, 6 Jan 2015 05:47:14 -0800 (PST)
In-Reply-To: <CALaySJ+8Sv_D52xrxL=ZfxQY=cNgJpd+sUT9TjbYjv=-tdUGSQ@mail.gmail.com>
References: <20150105174855.11968.51931.idtracker@ietfa.amsl.com> <54AAE9C7.8010105@cs.tcd.ie> <CALaySJ+j2u3_amk-BSjDgRvoGKFjsqn8k1Lm8pN0dW5dCXck3g@mail.gmail.com> <9C2AA051DD3C464F8ADEE38AEE6C26AD18C9E7BA@dfweml704-chm> <54AB4FFF.4040402@cs.tcd.ie> <CALaySJ+QY12hbrn0SkzwCakcBR3mqSD7XkHAQEspogafVq1_-g@mail.gmail.com> <54ABAF30.8040207@cs.tcd.ie> <CALaySJ+y8_AF_B5yJHwJe=ZMp+4Yiy=WoBXdooUTD0jQW6wrTQ@mail.gmail.com> <CALaySJ+8Sv_D52xrxL=ZfxQY=cNgJpd+sUT9TjbYjv=-tdUGSQ@mail.gmail.com>
Date: Tue, 06 Jan 2015 08:47:14 -0500
Message-ID: <CAHbuEH4FZrYobdr41J_kp2ENf6k=oCE6B7dp9XfVuq5o59Rvow@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/37eey6bNH7HSgqtN1zUVvztdreM
Cc: "draft-ietf-httpauth-hoba.all@tools.ietf.org" <draft-ietf-httpauth-hoba.all@tools.ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "httpauth-chairs@tools.ietf.org" <httpauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jan 2015 13:47:18 -0000
Stephen & Barry, Thank you both for working through this. I'm caught up now as I was asleep during the exchange. I want to make sure I understand where we are at now. Barry will propose text that lists out the steps requested in his original discuss. I think this could be a helpful addition. I was fine with the text of the draft as-is, but see that different people think differently and this addition could be helpful. I had to add in something similar in one of my drafts even though I and a few others thought the steps were clear, in the end it was helpful to some. The other item was on LinkedIn and I think we are ok now on the text change, is that right? To see if I can help, I do agree with Stephen here and hope the updated text is enough to move forward on this one (it seems to be the case). If the LinkedIn attack is mentioned, most know that it was a large scale attack against the passwords stored on the server side. For what it's worth, just the mention of an attack is not necessarily bad press. Most look at how a company handled an attack and the aftermath now rather than the fact that one happened. Sometimes it is positive and most of the time it turns out to positive for companies (even TJ Max had an increase in sales after their breach that involved compromised Point of Sale systems). Barry, as an FYI, the focus on passwords is partly due to my review as that is what this draft is helping to solve. I wanted text removed that talked about phishing attacks because they are far more complicated than just passwords and can involve lots of different types of credentials. I do think the focus on passwords is more appropriate. Thank you, Kathleen On Tue, Jan 6, 2015 at 4:59 AM, Barry Leiba <barryleiba@computer.org> wrote: >>> A proto -10 version with changes indicated below is at [1] the >>> diff vs. -09 at [2]. >> >> Will try to look at that later (Tues evening, China time). > > Got a chance to look at the diffs now; yes, it looks good, and thanks again. > > Barry > > _______________________________________________ > http-auth mailing list > http-auth@ietf.org > https://www.ietf.org/mailman/listinfo/http-auth -- Best regards, Kathleen
- [http-auth] Barry Leiba's Discuss on draft-ietf-h… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Julian Reschke
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Kathleen Moriarty
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Michael Thomas
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Michael Thomas
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Martin J. Dürst
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Kathleen Moriarty