IETF Logo Mail Archive

Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 06 January 2015 13:47 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87A4A1A6F27; Tue, 6 Jan 2015 05:47:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6uISmGWQQqgb; Tue, 6 Jan 2015 05:47:16 -0800 (PST)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2B681A6F21; Tue, 6 Jan 2015 05:47:15 -0800 (PST)
Received: by mail-lb0-f181.google.com with SMTP id l4so19151949lbv.26; Tue, 06 Jan 2015 05:47:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=uUN8GamlHEW5HnJCl79dlTeJ/O7U6zHxJFWQuY0S0p0=; b=Xtu6stC+/xB6PlN5pcRjLSSW5D85RgOSbFUZoy6cUFm0jkYQ3Lo3QNCYZk09uwVcP8 4WeiEUQw1iNHCgf+A1RLYnyRPzwwFOzGOPMuhyi/EjH7V1yqCHY3TwIeBVvnkkMZ7zts bSmufqHhhtqK9O6JSAR8UN7ffeXgvK9ZHLmUS6OPg1qHhoXzHQzZCpyxRujetM7GVarN ILY7QFQ/8GXEZkEFtFX8olQr06jklHjBzeK4DjkAr9CX1+DToaNPHyb/4oEFbR1bfatZ OoQVFzzZsq4xHaILd1zPJkJbdmLAYkqzWLUhSKTiWcc3zTdWrMcl3qXV4Mhg/hONY8fZ Rvdw==
MIME-Version: 1.0
X-Received: by 10.112.52.229 with SMTP id w5mr86913321lbo.52.1420552034308; Tue, 06 Jan 2015 05:47:14 -0800 (PST)
Received: by 10.112.49.52 with HTTP; Tue, 6 Jan 2015 05:47:14 -0800 (PST)
In-Reply-To: <CALaySJ+8Sv_D52xrxL=ZfxQY=cNgJpd+sUT9TjbYjv=-tdUGSQ@mail.gmail.com>
References: <20150105174855.11968.51931.idtracker@ietfa.amsl.com> <54AAE9C7.8010105@cs.tcd.ie> <CALaySJ+j2u3_amk-BSjDgRvoGKFjsqn8k1Lm8pN0dW5dCXck3g@mail.gmail.com> <9C2AA051DD3C464F8ADEE38AEE6C26AD18C9E7BA@dfweml704-chm> <54AB4FFF.4040402@cs.tcd.ie> <CALaySJ+QY12hbrn0SkzwCakcBR3mqSD7XkHAQEspogafVq1_-g@mail.gmail.com> <54ABAF30.8040207@cs.tcd.ie> <CALaySJ+y8_AF_B5yJHwJe=ZMp+4Yiy=WoBXdooUTD0jQW6wrTQ@mail.gmail.com> <CALaySJ+8Sv_D52xrxL=ZfxQY=cNgJpd+sUT9TjbYjv=-tdUGSQ@mail.gmail.com>
Date: Tue, 06 Jan 2015 08:47:14 -0500
Message-ID: <CAHbuEH4FZrYobdr41J_kp2ENf6k=oCE6B7dp9XfVuq5o59Rvow@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/37eey6bNH7HSgqtN1zUVvztdreM
Cc: "draft-ietf-httpauth-hoba.all@tools.ietf.org" <draft-ietf-httpauth-hoba.all@tools.ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "httpauth-chairs@tools.ietf.org" <httpauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jan 2015 13:47:18 -0000

Stephen & Barry,

Thank you both for working through this.  I'm caught up now as I was
asleep during the exchange.  I want to make sure I understand where we
are at now.

Barry will propose text that lists out the steps requested in his
original discuss.  I think this could be a helpful addition.  I was
fine with the text of the draft as-is, but see that different people
think differently and this addition could be helpful.  I had to add in
something similar in one of my drafts even though I and a few others
thought the steps were clear, in the end it was helpful to some.

The other item was on LinkedIn and I think we are ok now on the text
change, is that right?  To see if I can help, I do agree with Stephen
here and hope the updated text is enough to move forward on this one
(it seems to be the case).  If the LinkedIn attack is mentioned, most
know that it was a large scale attack against the passwords stored on
the server side.  For what it's worth, just the mention of an attack
is not necessarily bad press.  Most look at how a company handled an
attack and the aftermath now rather than the fact that one happened.
Sometimes it is positive and most of the time it turns out to positive
for companies (even TJ Max had an increase in sales after their breach
that involved compromised Point of Sale systems).

Barry, as an FYI, the focus on passwords is partly due to my review as
that is what this draft is helping to solve.  I wanted text removed
that talked about phishing attacks because they are far more
complicated than just passwords and can involve lots of different
types of credentials.  I do think the focus on passwords is more
appropriate.

Thank you,
Kathleen

On Tue, Jan 6, 2015 at 4:59 AM, Barry Leiba <barryleiba@computer.org> wrote:
>>> A proto -10 version with changes indicated below is at [1] the
>>> diff vs. -09 at [2].
>>
>> Will try to look at that later (Tues evening, China time).
>
> Got a chance to look at the diffs now; yes, it looks good, and thanks again.
>
> Barry
>
> _______________________________________________
> http-auth mailing list
> http-auth@ietf.org
> https://www.ietf.org/mailman/listinfo/http-auth



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email