Re: Passwords over the wire and WebAuthn woes

[Benjamin Kaduk <kaduk@mit.edu>]

On Tue, May 12, 2020 at 12:30:56PM -0700, Michael Thomas wrote:
> 
> On 5/11/20 10:17 PM, Benjamin Kaduk wrote:
> > On Thu, May 07, 2020 at 02:05:53PM -0700, Michael Thomas wrote:
> >> So here's the question: the flows that I created are definitely over the
> >> wire. But they are over the wire between really one party, the web site
> >> owner, since they control the code (= server, client js) on both ends.
> >> However as everybody knows, security is not easy so getting those flows
> >> *correct* is very hard. I have some experience here, and it's mainly
> >> telling me that I'm sure I got things wrong. So  what is the policy
> >> within IETF where a site could roll their own, but really shouldn't
> >> because it ought to be vetted?  Is standardizing such a thing in scope
> >> in IETF or other standards bodies? Because at its heart is not
> >> interoperability across implementation, but vetting a security design
> >> that goes over the wire.
> > If I understand you correctly, it can be in scope to write up
> > (informationally, usually) a protocol for sending stuff over the wire
> > between two endpoints controlled by the same entity that avoids
> > security-relevant pitfalls.
> 
> 
> I guess this begs the question why standards-track isn't appropriate? I 
> mean, lots of $MEGACORPS might just as well be different organizations 
> when it comes to interoperability issues. And they certainly have all of 
> the same problems of each group rolling their own (badly). And of course 
> standards mean that there's review, which is especially important with 
> security related stuff.

Standards-track is not out of the question, and could well be appropriate
in some casess.  My parenthetical was just meant to provide my unscientific
estimate of what has been done in the past.

-Ben