Re: [saag] SHA-1 to SHA-n transition

Jeffrey Hutzelman <jhutz@cmu.edu> Mon, 02 March 2009 18:45 UTC

Date: Mon, 02 Mar 2009 13:45:58 -0500
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Nicolas Williams <Nicolas.Williams@sun.com>
Message-ID: <0DE6E86D395C657BABF43B97@minbar.fac.cs.cmu.edu>
In-Reply-To: <20090302182547.GX9992@Sun.COM>
References: <0c2301c9979f$8a1cd770$0600a8c0@china.huawei.com> <2788466ED3E31C418E9ACC5C3166155768B2CE@mou1wnexmb09.vcorp.ad.vrsn.com> <20090226143809.GF7227@mit.edu> <1235663917.3293.16.camel@localhost> <20090226165448.GK9992@Sun.COM> <20090227022359.8D45150822@romeo.rtfm.com> <20090302161134.GG9992@Sun.COM> <20090302172135.DA43650822@romeo.rtfm.com> <200903021720.n22HKZOv006388@grapenut.srv.cs.cmu.edu> <864C82388E530D27DCB6002F@minbar.fac.cs.cmu.edu> <20090302182547.GX9992@Sun.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: der Mouse <mouse@Rodents-Montreal.ORG>, saag@ietf.org
Subject: Re: [saag] SHA-1 to SHA-n transition
Precedence: list

--On Monday, March 02, 2009 12:25:47 PM -0600 Nicolas Williams 
<Nicolas.Williams@sun.com> wrote:

> On Mon, Mar 02, 2009 at 01:19:13PM -0500, Jeffrey Hutzelman wrote:
>> --On Monday, March 02, 2009 11:11:22 AM -0600 Nicolas Williams
>> <Nicolas.Williams@sun.com> wrote:
>>
>> > It will be a long time before users can be trained not to type
>> > passwords into attacker-controlled dialogs -- that is definitely true.
>>
>> No, no.  It's a long way down the road to the chemist's.  It will be
>> _forever_ before users can be trained not to type passwords into
>> attacker-controlled dialogs.  We've been trying for decades, and some of
>> the users in question have _been here_ for decades, and the message
>> still  hasn't gotten through.
>
> Mostly because the technology to move beyond application-controlled
> dialogs has not been deployed or the technologies that have been have
> been unsatisfactory.

No, it has nothing to do with the technology.
As long as users have a password, they will give it to anyone or anything 
that asks for it.  You'll get through to some of them that they shouldn't 
give their password away, but not to most of them.

Really.  It's sad to say, but people in general do _not_ read directions 
and do _not_ follow procedures, even when they are carefully trained in 
procedures specifically designed to protect against particular threats, and 
even when the threat is to the user's life or safety.

How do you expect users to remember not to give away their passwords when 
they can't be bothered to remember to wash their hands or look both ways 
before crossing a street?

-- Jeff

Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
[saag] SHA-1 to SHA-n transition Stephen Kent
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] SHA-1 to SHA-n transition Hannes Tschofenig
Re: [saag] SHA-1 to SHA-n transition Stephen Kent
Re: [saag] SHA-1 to SHA-n transition Chandersekaran, Coimbatore S
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Yoav Nir
Re: [saag] SHA-1 to SHA-n transition Pasi.Eronen
Re: [saag] SHA-1 to SHA-n transition David McGrew
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Santosh Chokhani
Re: [saag] SHA-1 to SHA-n transition der Mouse
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Paul Hoffman
Re: [saag] SHA-1 to SHA-n transition David Harrington
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Michael O'Neill
Re: [saag] SHA-1 to SHA-n transition Theodore Tso
[saag] Deployment Deadlock Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Bill Sommerfeld
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
[saag] Channel binding is great but not a silver … Sam Hartman
Re: [saag] Channel binding is great but not a sil… Nicolas Williams
Re: [saag] Channel binding is great but not a sil… Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] Channel binding is great but not a sil… Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] Channel binding is great but not a sil… Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] Channel binding is great but not a sil… Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] Channel binding is great but not a sil… Alan DeKok
Re: [saag] Channel binding is great but not a sil… Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
Re: [saag] Channel binding is great but not a sil… Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] Channel binding is great but not a sil… Alan DeKok
[saag] Or grow a real PKI (Re: SHA-1 to SHA-n tra… Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] SHA-1 to SHA-n transition Stephen Kent
Re: [saag] Channel binding is great but not a sil… Stephen Kent
Re: [saag] Channel binding is great but not a sil… Stephen Kent
Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Stephen Kent
Re: [saag] Channel binding is great but not a sil… Nicolas Williams
Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Nicolas Williams
Re: [saag] Deployment Deadlock Pasi.Eronen
Re: [saag] Deployment Deadlock Hallam-Baker, Phillip
Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Nicolas Williams
Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Hallam-Baker, Phillip
Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Stephen Kent
Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
Re: [saag] SHA-1 to SHA-n transition Theodore Tso
Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
Re: [saag] SHA-1 to SHA-n transition Bill Sommerfeld
[saag] Credential portability RE: SHA-1 to SHA-n … Hallam-Baker, Phillip