Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)

[Stephen Farrell <stephen.farrell@cs.tcd.ie>]

On 06/01/15 08:20, Barry Leiba wrote:
>>>>>>>>>>> I don't think you need to say "a la LinkedIn," and I think it's a
>>>>>>>>>>> bad idea to have us link a company's name to a password
>>>>>>>>>>> compromise forever in an RFC.  Especially when it's not
>>>>>>>>>>> necessary.
> ...
>>>>>>> I think it is: I think it's a very bad thing to disparage specific
>>>>>>> companies in our RFCs.
> ...
>>>>>>> this with me (why you think it's
>>>>>>> important to leave it there), then the discussion will have happened,
>>>>>>> and we can move ahead.
>>
>> Yet here we still are? :-)
> 
> Because I think the discussion needs to continue.  I still don't
> understand why you think it's so important to single out LinkedIn,
> such that it's worth the damage that having that in an RFC represents.

There is no additional damage to them (unless via this discussion
ala Streisand;-) and I don't see any damage to the IETF from a
mention of that being in an RFC - it was a real and really well
publicised incident, us mentioning it in an RFC will not put it
back on the front pages as it was at the time.

>>> The fact that there's a plethora of examples really speaks to not
>>> calling out one company on this,
>>
>> I re-iterate: At the time of writing this was the poster-child
>> example. It still remains one, and a good one for RFC readers.
> 
> It was not "the poster child": there have been so many of these
> breaches, both before 

We disagree there as to the facts. My recollection is that it very
much was the poster child at the time of writing. But we might of
course both be recalling imperfectly.

> and since, that I see no reason at all to call
> out any one instance.
> 
>>> as well as that it's not necessary to
>>> do so.  We could just say "the many password exposures that have been
>>> well documented in the media," for example.
>>
>> That may be a reasonable comment, but I continue to maintain that
>> it is not DISCUSS-worthy. And I think being so shy about this is
>> a bad plan actually and we ought if anything be more direct about
>> it.
> 
> I don't think text such as what I suggest -- text that does not name
> specific companies that got hacked -- is being shy.  Actually, I think
> it makes a *stronger* statement to say that there have been many, and
> that they have made big news worldwide.
> 
>> "bad idea" does not mean DISCUSS-worthy, and extending the DISCUSS
>> criteria in that way seems very wrong to me.
> 
> "Bad idea" in this case means, to me, bad for the IETF.  I think it's
> just wrong.
> 
> This is not a "pedantic correction" nor a "stylistic issue" -- it is,
> to me, an important point. 

Sure I accept that you think this important.

> You and I clearly don't agree on this, 

Very much so.

> so
> let's see what other ADs think as they fill out their ballots.

Yep.

>> I think in a case like this it is entirely correct to reference well
>> publicised security incidents in the most natural fashion via the name
>> of the organisation that experienced the incident. In this case, I
>> re-iterate that that incident was I think the most commonly cited one
>> at the time of writing. (I can buy that adding a citation for more
>> detail would be a good addition though.)
> 
> I understand that's what you think.  As I say, we disagree, apparently strongly.

I strongly disagree with this comment being a DISCUSS point.
Were there a blatant error in the text that might be defensible
but there is not, that incident did happen and was very widely
publicised. [1]

   [1] https://en.wikipedia.org/wiki/2012_LinkedIn_hack

I far less strongly disagree about the text that ought be in
the RFC - that is, my main problem with your comment is that it
is a blocking DISCUSS point.

Cheers,
S.


> 
> Barry
>