IETF Logo Mail Archive

Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 08 January 2015 03:00 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 659551A1B7A; Wed, 7 Jan 2015 19:00:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hWJJJHnQds05; Wed, 7 Jan 2015 19:00:54 -0800 (PST)
Received: from mail-qc0-x230.google.com (mail-qc0-x230.google.com [IPv6:2607:f8b0:400d:c01::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC1171A00F7; Wed, 7 Jan 2015 19:00:53 -0800 (PST)
Received: by mail-qc0-f176.google.com with SMTP id i17so181462qcy.7; Wed, 07 Jan 2015 19:00:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Bf+GnLYN1hIGfD2mxjhQl/2cQzB5c88v9W2TkeG7ub0=; b=mnNLK+tamRH9rYL3Nvn6eRA63ijF9Leyp3a1Dz5RiWlTjqNBqLiRj3tJ0fB09GlieV gwcjMiCmoyBEXyYcKSjWOFo7kPOVJMGE7u0T5cIxdxwnlfe9O6XNkvKuHwivAR4NFc1a WyhmNtI3esc2JlVeIxGkA43yAVfDqhfulzSMJtt270uOYkYpcnXwl5dnlSy1JoduHYCy PXGyISgHXGp1nUV3AYkJLZtayVuTl/JobUoUdBTcnpf4Yq0uRKVhF5g9NYeG5EIMksMS bgW6NjB2jFWPEOU0VojOPomgZS35MtTXZbNgosLXCsdPXfT3Mt8BqfJ3EEF/NOvuCadV ptdg==
X-Received: by 10.229.181.5 with SMTP id bw5mr11021616qcb.15.1420686053079; Wed, 07 Jan 2015 19:00:53 -0800 (PST)
Received: from [192.168.1.3] (209-6-114-252.c3-0.arl-ubr1.sbo-arl.ma.cable.rcn.com. [209.6.114.252]) by mx.google.com with ESMTPSA id w9sm2921362qab.18.2015.01.07.19.00.51 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 07 Jan 2015 19:00:51 -0800 (PST)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Google-Original-From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
X-Mailer: iPhone Mail (11D257)
In-Reply-To: <54ADF108.7010208@it.aoyama.ac.jp>
Date: Wed, 07 Jan 2015 22:00:53 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <0C7C8A9C-70BF-4E68-BD4B-91652B14105A@gmail.com>
References: <20150105174855.11968.51931.idtracker@ietfa.amsl.com> <54AAE9C7.8010105@cs.tcd.ie> <CALaySJ+j2u3_amk-BSjDgRvoGKFjsqn8k1Lm8pN0dW5dCXck3g@mail.gmail.com> <9C2AA051DD3C464F8ADEE38AEE6C26AD18C9E7BA@dfweml704-chm> <54AB4FFF.4040402@cs.tcd.ie> <CALaySJ+QY12hbrn0SkzwCakcBR3mqSD7XkHAQEspogafVq1_-g@mail.gmail.com> <54ABAF30.8040207@cs.tcd.ie> <CALaySJ+y8_AF_B5yJHwJe=ZMp+4Yiy=WoBXdooUTD0jQW6wrTQ@mail.gmail.com> <CALaySJ+8Sv_D52xrxL=ZfxQY=cNgJpd+sUT9TjbYjv=-tdUGSQ@mail.gmail.com> <CAHbuEH4FZrYobdr41J_kp2EN f6k=oCE6B7dp9XfVuq5o59Rvow@mail.gmail.com> <54ADF108.7010208@it.aoyama.ac.jp>
To: "\"Martin J. Dürst\"" <duerst@it.aoyama.ac.jp>
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/VSh7RN1Jy3l6bht7eCsrL-iUu-Q
Cc: "http-auth@ietf.org" <http-auth@ietf.org>, "draft-ietf-httpauth-hoba.all@tools.ietf.org" <draft-ietf-httpauth-hoba.all@tools.ietf.org>, Barry Leiba <barryleiba@computer.org>, "httpauth-chairs@tools.ietf.org" <httpauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jan 2015 03:00:55 -0000


Sent from my iPhone

> On Jan 7, 2015, at 9:52 PM, "Martin J. Dürst" <duerst@it.aoyama.ac.jp> wrote:
> 
>> On 2015/01/06 22:47, Kathleen Moriarty wrote:
>> 
>> The other item was on LinkedIn and I think we are ok now on the text
>> change, is that right?  To see if I can help, I do agree with Stephen
>> here and hope the updated text is enough to move forward on this one
>> (it seems to be the case).  If the LinkedIn attack is mentioned, most
>> know that it was a large scale attack against the passwords stored on
>> the server side.  For what it's worth, just the mention of an attack
>> is not necessarily bad press.  Most look at how a company handled an
>> attack and the aftermath now rather than the fact that one happened.
>> Sometimes it is positive and most of the time it turns out to positive
>> for companies (even TJ Max had an increase in sales after their breach
>> that involved compromised Point of Sale systems).
> 
> This almost sounds as if making sure you get hit once in a while and your user's data gets stolen is a good thing :-(.

Martin,

What I typed was to help with an explanation, not actual text to be used in a draft.  It was an example (that can be backed up with data) to say it's not uncommon or looked at poorly to name companies when referring to specific attack types.  How they respond is important and I did not say anything about repeated attacks, that or severity can have an effect on a business, but really would have been getting too far off the point of whether or not it's okay to name LinkedIn.

Best regards,
Kathleen 

> 
> I seriously hope that's not the case.
> 
> Regards,   Martin.

v2.23.0 | Report a Bug | By Email