Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
Michael Thomas <mike@fresheez.com> Tue, 06 January 2015 16:24 UTC
Return-Path: <mike@fresheez.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 884641A017F for <http-auth@ietfa.amsl.com>; Tue, 6 Jan 2015 08:24:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KFMAMMRiJ0hZ for <http-auth@ietfa.amsl.com>; Tue, 6 Jan 2015 08:24:58 -0800 (PST)
Received: from mail-pd0-x236.google.com (mail-pd0-x236.google.com [IPv6:2607:f8b0:400e:c02::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF26A1A01C6 for <http-auth@ietf.org>; Tue, 6 Jan 2015 08:24:46 -0800 (PST)
Received: by mail-pd0-f182.google.com with SMTP id p10so30683932pdj.13 for <http-auth@ietf.org>; Tue, 06 Jan 2015 08:24:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fresheez.com; s=fluffulence; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=C50IUVIL64d0kMN99wUakhMGx8lXTDRXMaR71oatBPM=; b=CvAkD448a6gpkbMM2bapypK+Ac7F8+FI/C501RLa0fRY5k9d+9KMjzIZbEwr3yB3JL 7u0CpAToVygWUVPBhgzBkcGPpAquJqbJL6+/Aox5Hg7fGjvuFVMZSUG597/kzATfFHE5 iCk6m75iN//I7uK1vr67Mc3NLxI01gnvkB7i0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=C50IUVIL64d0kMN99wUakhMGx8lXTDRXMaR71oatBPM=; b=cN1yeblAbv3VwP5A3VVQttbYfm2H2LCOhxk3bxWfz9T0U8Bd+EU7c+pvWKQJzoip3k uxwDE2/S7Pg71JIwir3XTcSLpbh32XqAy8yOJ5rtfHi8r8nSC27nghIMRc3ttum1MImT 2HUwBhQnee/4Hojr+R2HtpHyiod4VzeHOTEBs8KzNHxt66wfk/yo2liqwBEFX98sUpuL v7xSjRYLvNq6H7A9kQrhrNxGHglpsvTNjU+pp1fyVzy0I9K/6DQMkre8CulgpXyqNiv9 ZLgLa5p0lOwbF0yDcPBVVQZF5Aj/JKebwSJySyBqWjn8yu8SbHr26jtuCFWT//gK0oaM D3sw==
X-Gm-Message-State: ALoCoQmi/TXYnoJ3Kw+OxExrwQBXbNa5Gby6XRgxHHlqB1zv7UByYO63a5yoPFXbvvYC2gM8QfOs
X-Received: by 10.66.146.167 with SMTP id td7mr81146215pab.101.1420561485958; Tue, 06 Jan 2015 08:24:45 -0800 (PST)
Received: from takifugu.mtcc.com (mtcc.com. [50.0.18.224]) by mx.google.com with ESMTPSA id c17sm57503857pdl.6.2015.01.06.08.24.44 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Jan 2015 08:24:44 -0800 (PST)
Message-ID: <54AC0C4B.9070608@fresheez.com>
Date: Tue, 06 Jan 2015 08:24:43 -0800
From: Michael Thomas <mike@fresheez.com>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Barry Leiba <barryleiba@computer.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <20150105174855.11968.51931.idtracker@ietfa.amsl.com> <54AAE9C7.8010105@cs.tcd.ie> <CALaySJ+j2u3_amk-BSjDgRvoGKFjsqn8k1Lm8pN0dW5dCXck3g@mail.gmail.com> <9C2AA051DD3C464F8ADEE38AEE6C26AD18C9E7BA@dfweml704-chm> <54AB4FFF.4040402@cs.tcd.ie> <CALaySJ+QY12hbrn0SkzwCakcBR3mqSD7XkHAQEspogafVq1_-g@mail.gmail.com> <54AB9870.50505@cs.tcd.ie> <CALaySJKbyM=c9XhOFR0aXk_aGscexzAKdQxoMHDQ7iQv3nh+ZQ@mail.gmail.com>
In-Reply-To: <CALaySJKbyM=c9XhOFR0aXk_aGscexzAKdQxoMHDQ7iQv3nh+ZQ@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/upW4u9r43HzVazNvUgDkrv1wjEw
Cc: "draft-ietf-httpauth-hoba.all@tools.ietf.org" <draft-ietf-httpauth-hoba.all@tools.ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "httpauth-chairs@tools.ietf.org" <httpauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [http-auth] Barry Leiba's Discuss on draft-ietf-httpauth-hoba-09: (with DISCUSS and COMMENT)
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jan 2015 16:24:59 -0000
On 01/06/2015 12:20 AM, Barry Leiba wrote: > > Yet here we still are? :-) > Because I think the discussion needs to continue. I still don't > understand why you think it's so important to single out LinkedIn, > such that it's worth the damage that having that in an RFC represents. > >>> The fact that there's a plethora of examples really speaks to not >>> calling out one company on this, >> I re-iterate: At the time of writing this was the poster-child >> example. It still remains one, and a good one for RFC readers. > It was not "the poster child": there have been so many of these > breaches, both before and since, that I see no reason at all to call > out any one instance. I'm pretty sure that I'm responsible for the offending text and it was enough of a a poster child in my mind because my JS implementation was a direct response in an "enough is enough" way. Yes, there have been lots of these but if a large, well known, well funded company is vulnerable, how can we expect everybody else to not fall prey? The problem isn't with LinkedIn per se -- and it makes me extremely angry when the finger waggers inevitably blame end users -- it's with password schemes in general, which is a failure of engineering. FWIW, I don't see LinkedIn in this case as "name and shame" but more of "this too can be YOU" example. For that reason, I think it's better to leave it in as a cautionary tale instead of diluting it down to non-specific "others". Mike
- [http-auth] Barry Leiba's Discuss on draft-ietf-h… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Julian Reschke
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Kathleen Moriarty
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Barry Leiba
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Stephen Farrell
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Michael Thomas
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Michael Thomas
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Martin J. Dürst
- Re: [http-auth] Barry Leiba's Discuss on draft-ie… Kathleen Moriarty