Re: [http-auth] Alissa Cooper's No Objection on draft-ietf-httpauth-hoba-09: (with COMMENT)
"Martin J. Dürst" <duerst@it.aoyama.ac.jp> Thu, 08 January 2015 02:49 UTC
Return-Path: <duerst@it.aoyama.ac.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D70001A00F7; Wed, 7 Jan 2015 18:49:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.199
X-Spam-Level:
X-Spam-Status: No, score=0.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l-Q7Pc8ilLzO; Wed, 7 Jan 2015 18:49:05 -0800 (PST)
Received: from scintmta01-14.scbb.aoyama.ac.jp (scintmta01-14.scbb.aoyama.ac.jp [133.2.253.64]) by ietfa.amsl.com (Postfix) with ESMTP id 620A41A1A4B; Wed, 7 Jan 2015 18:49:04 -0800 (PST)
Received: from scmeg01-14.scbb.aoyama.ac.jp (scmse.scbb.aoyama.ac.jp [133.2.253.15]) by scintmta01-14.scbb.aoyama.ac.jp (Postfix) with ESMTP id 2966832E594; Thu, 8 Jan 2015 11:48:18 +0900 (JST)
Received: from itmail2.it.aoyama.ac.jp (unknown [133.2.206.134]) by scmeg01-14.scbb.aoyama.ac.jp with smtp id 4836_32b0_559a75ac_1cfd_4426_8a64_e85dd03ed510; Thu, 08 Jan 2015 11:48:17 +0900
Received: from [133.2.210.64] (unknown [133.2.210.64]) by itmail2.it.aoyama.ac.jp (Postfix) with ESMTP id 94158BF505; Thu, 8 Jan 2015 11:48:17 +0900 (JST)
Message-ID: <54ADEFF1.4040301@it.aoyama.ac.jp>
Date: Thu, 08 Jan 2015 11:48:17 +0900
From: "\"Martin J. Dürst\"" <duerst@it.aoyama.ac.jp>
Organization: Aoyama Gakuin University
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
References: <20150107222027.18377.83227.idtracker@ietfa.amsl.com> <54ADBD79.4090201@cs.tcd.ie> <CAKKJt-fRX=upmtEAW5s1bFs0=zK0BV1JvWnkqkPKQFxR0kHW2g@mail.gmail.com> <A71C21BC-39BA-47B8-87FD-3BDF5ADE4F5D@gmail.com> <CAKKJt-fAF9nTydDw0HmTU+qhQPCxMosLruzmsWHDzAURaOvXBw@mail.gmail.com>
In-Reply-To: <CAKKJt-fAF9nTydDw0HmTU+qhQPCxMosLruzmsWHDzAURaOvXBw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/YaqdQC1NI167lkrmb6E728vMSJQ
Cc: "draft-ietf-httpauth-hoba.all@tools.ietf.org" <draft-ietf-httpauth-hoba.all@tools.ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, httpauth-chairs@tools.ietf.org, Alissa Cooper <alissa@cooperw.in>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [http-auth] Alissa Cooper's No Objection on draft-ietf-httpauth-hoba-09: (with COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jan 2015 02:49:07 -0000
On 2015/01/08 10:13, Spencer Dawkins at IETF wrote: > On Jan 8, 2015 8:58 AM, "Kathleen Moriarty" < > kathleen.moriarty.ietf@gmail.com> wrote: >> On Jan 7, 2015, at 7:39 PM, Spencer Dawkins at IETF < > spencerdawkins.ietf@gmail.com> wrote: >>> I'm no security maven, but when I was reading recently about Sony's > wizard security practices, I thought to myself, "I'd never do anything that > dumb", and kind of stopped there. I wonder if that's more likely if the > text calls out any single company. >>> >>> Spencer, who may still be too nice to be an AD ... >> >> >> For big attacks, the security folks tend to name the first or a big > recent example of a specific attack. When you say the LinkedIn attack, I > remember that there was some crazy large (I think a million+) number of > passwords stolen from at he server side. This caused a lot of questions > from friends and lots of password changes (well publicized). In response > to Barry's question on this that led to Stephen's update, I mentioned that > most look at how a company responds in terms of reputation as opposed to > the fact that an event occurs. Business usually goes up as crazy as that > sounds. RSA gets mentioned when the discussion is about APTs or the trend > in supply chain attacks. I hope this was helpful. > > This all makes sense to me. > >> Does the new language help enough? I think it does, but another > security person. > > I think the question is whether we think the readers of this RFC (to be) > will have the security community mindset, or whether there will be a > broader audience. > > I have no idea which of those is the case, of course. What about *both*? Regards, Martin.
- [http-auth] Alissa Cooper's No Objection on draft… Alissa Cooper
- Re: [http-auth] Alissa Cooper's No Objection on d… Stephen Farrell
- Re: [http-auth] Alissa Cooper's No Objection on d… Kathleen Moriarty
- Re: [http-auth] Alissa Cooper's No Objection on d… Spencer Dawkins at IETF
- Re: [http-auth] Alissa Cooper's No Objection on d… Kathleen Moriarty
- Re: [http-auth] Alissa Cooper's No Objection on d… Stephen Farrell
- Re: [http-auth] Alissa Cooper's No Objection on d… Spencer Dawkins at IETF
- Re: [http-auth] Alissa Cooper's No Objection on d… Martin J. Dürst
- Re: [http-auth] Alissa Cooper's No Objection on d… Alissa Cooper