IETF Logo Mail Archive

Re: [http-auth] [saag] re-call for IETF http-auth BoF

Marsh Ray <marsh@extendedsubset.com> Mon, 06 June 2011 22:33 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D389B11E811A for <http-auth@ietfa.amsl.com>; Mon, 6 Jun 2011 15:33:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0CqjB7a+EglC for <http-auth@ietfa.amsl.com>; Mon, 6 Jun 2011 15:33:45 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-04-ewr.mailhop.org [204.13.248.74]) by ietfa.amsl.com (Postfix) with ESMTP id EBAD511E8073 for <http-auth@ietf.org>; Mon, 6 Jun 2011 15:33:44 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.72) (envelope-from <marsh@extendedsubset.com>) id 1QTiMh-000LCU-J0; Mon, 06 Jun 2011 22:33:43 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id C033C6067; Mon, 6 Jun 2011 22:33:41 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/+NvJcHwX4kcJtWOnfmQbYWf4QgLlCZNU=
Message-ID: <4DED55C5.1010306@extendedsubset.com>
Date: Mon, 06 Jun 2011 17:33:41 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
References: <878vtgfbs1.fsf@bluewind.rcis.aist.go.jp> <A89D85D0-00AB-4F21-8841-6707E9CDCFC4@gmx.net> <BANLkTind5rg-tOZJ+B2ocD_s=9_-rufH5Q@mail.gmail.com>
In-Reply-To: <BANLkTind5rg-tOZJ+B2ocD_s=9_-rufH5Q@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: http-auth@ietf.org
Subject: Re: [http-auth] [saag] re-call for IETF http-auth BoF
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jun 2011 22:33:46 -0000

On 06/06/2011 04:44 PM, Nico Williams wrote:
>  But I'm afraid
> that the appearance of success will be enough to staunch progress in
> any other areas, so it may be a now-or-never situation for any
> alternatives other than JavaScript crypto APIs.

Don't worry about it, they're not going to work even that well.

They wouldn't have stopped the government of Tunisia from MitMing 
Facebook and inserting Javascript to modify the behavior of the page. 
They wouldn't have stopped the government of Syria from using a BlueCoat 
to perform SSL MitM on Facebook with a bogus self-signed cert either.

Both governments were arresting and shooting their citizens and hacking 
their Facebook credentials. Interestingly, Tunisia controls a trusted 
root CA but didn't bother to use it. Syria doesn't control a widely 
trusted CA, but doesn't seem to need it either.

Sooner or later, people will tire of security theater. We can just try 
to have the best options available when they do.

- Marsh

v2.23.0 | Report a Bug | By Email