IETF Logo Mail Archive

Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)

"Martin J. Dürst" <duerst@it.aoyama.ac.jp> Thu, 08 January 2015 02:53 UTC

Return-Path: <duerst@it.aoyama.ac.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B33711A8704; Wed, 7 Jan 2015 18:53:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.199
X-Spam-Level:
X-Spam-Status: No, score=0.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E7aObysP8w2b; Wed, 7 Jan 2015 18:53:42 -0800 (PST)
Received: from scintmta01-14.scbb.aoyama.ac.jp (scintmta01-14.scbb.aoyama.ac.jp [133.2.253.64]) by ietfa.amsl.com (Postfix) with ESMTP id 38EEC1A6EE8; Wed, 7 Jan 2015 18:53:42 -0800 (PST)
Received: from scmeg01-14.scbb.aoyama.ac.jp (scmse.scbb.aoyama.ac.jp [133.2.253.15]) by scintmta01-14.scbb.aoyama.ac.jp (Postfix) with ESMTP id 9E75232E545; Thu, 8 Jan 2015 11:52:57 +0900 (JST)
Received: from itmail2.it.aoyama.ac.jp (unknown [133.2.206.134]) by scmeg01-14.scbb.aoyama.ac.jp with smtp id 4836_338d_448857e7_ae0e_4890_943b_b8012e264f9e; Thu, 08 Jan 2015 11:52:56 +0900
Received: from [133.2.210.64] (unknown [133.2.210.64]) by itmail2.it.aoyama.ac.jp (Postfix) with ESMTP id 11644BF505; Thu, 8 Jan 2015 11:52:57 +0900 (JST)
Message-ID: <54ADF108.7010208@it.aoyama.ac.jp>
Date: Thu, 08 Jan 2015 11:52:56 +0900
From: "\"Martin J. Dürst\"" <duerst@it.aoyama.ac.jp>
Organization: Aoyama Gakuin University
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Barry Leiba <barryleiba@computer.org>
References: <20150105174855.11968.51931.idtracker@ietfa.amsl.com> <54AAE9C7.8010105@cs.tcd.ie> <CALaySJ+j2u3_amk-BSjDgRvoGKFjsqn8k1Lm8pN0dW5dCXck3g@mail.gmail.com> <9C2AA051DD3C464F8ADEE38AEE6C26AD18C9E7BA@dfweml704-chm> <54AB4FFF.4040402@cs.tcd.ie> <CALaySJ+QY12hbrn0SkzwCakcBR3mqSD7XkHAQEspogafVq1_-g@mail.gmail.com> <54ABAF30.8040207@cs.tcd.ie> <CALaySJ+y8_AF_B5yJHwJe=ZMp+4Yiy=WoBXdooUTD0jQW6wrTQ@mail.gmail.com> <CALaySJ+8Sv_D52xrxL=ZfxQY=cNgJpd+sUT9TjbYjv=-tdUGSQ@mail.gmail.com> <CAHbuEH4FZrYobdr41J_kp2EN f6k=oCE6B7dp9XfVuq5o59Rvow@mail.gmail.com>
In-Reply-To: <CAHbuEH4FZrYobdr41J_kp2ENf6k=oCE6B7dp9XfVuq5o59Rvow@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/RN40-IOw5FS_xXdkTdk2pUsRRys
Cc: "draft-ietf-httpauth-hoba.all@tools.ietf.org" <draft-ietf-httpauth-hoba.all@tools.ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "httpauth-chairs@tools.ietf.org" <httpauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jan 2015 02:53:43 -0000

On 2015/01/06 22:47, Kathleen Moriarty wrote:

> The other item was on LinkedIn and I think we are ok now on the text
> change, is that right?  To see if I can help, I do agree with Stephen
> here and hope the updated text is enough to move forward on this one
> (it seems to be the case).  If the LinkedIn attack is mentioned, most
> know that it was a large scale attack against the passwords stored on
> the server side.  For what it's worth, just the mention of an attack
> is not necessarily bad press.  Most look at how a company handled an
> attack and the aftermath now rather than the fact that one happened.
> Sometimes it is positive and most of the time it turns out to positive
> for companies (even TJ Max had an increase in sales after their breach
> that involved compromised Point of Sale systems).

This almost sounds as if making sure you get hit once in a while and 
your user's data gets stolen is a good thing :-(.

I seriously hope that's not the case.

Regards,   Martin.

v2.23.0 | Report a Bug | By Email