nanog mailing list archives
Re: How to fix authentication (was LinkedIn)
From: AP NANOG <nanog () armoredpackets com>
Date: Mon, 25 Jun 2012 09:30:02 -0400
Kyle,I may be mistaken here, but I don't believe anyone is truly laughing the matter off.
There may have been some remarks about second or third parties, but the fact does remain these are the areas which current concerns still lay.
-- Robert Miller (arch3angel) On 6/24/12 1:02 AM, Kyle Creyts wrote:
I would suggest that multiple models be pursued (since each appears to have a champion) and that the market/drafting process will resolve the issue of which is better (which is okay by me: widespread adoption of any of the proposed models would advance the state of the norm; progress beats the snot out of stagnation in my book) My earlier replies were reprehensible. This is not a thread that should just be laughed off. Real progress may be occurring here, and at the least, good knowledge and discussion is accumulating in a way which may serve as a resource for the curious or concerned. On Jun 22, 2012 7:25 AM, "Leo Bicknell" <bicknell () ufp org> wrote:In a message written on Thu, Jun 21, 2012 at 04:48:47PM -1000, Randy Bush wrote:there are no trustable third partiesWith a lot of transactions the second party isn't trustable, and sometimes the first party isn't as well. :) In a message written on Thu, Jun 21, 2012 at 10:53:18PM -0400, Christopher Morrow wrote:note that yubico has models of auth that include: 1) using a third party 2) making your own party 3) HOTP on token 4) NFC they are a good company, trying to do the right thing(s)... They also don't necessarily want you to be stuck in the 'get your answer from another'Requirements of hardware or a third party are fine for the corporate world, or sites that make enough money or have enough risk to invest in security, like a bank. Requiring hardware for a site like Facebook or Twitter is right out. Does not scale, can't ship to the guy in Pakistan or McMurdo who wants to sign up. Trusting a third party becomes too expensive, and too big of a business risk. There are levels of security here. I don't expect Facebook to take the same security steps as my bank to move my money around. One size does not fit all. Making it so a hacker can't get 10 million login credentials at once is a quantum leap forward even if doing so doesn't improve security in any other way. The perfect is the enemy of the good. -- Leo Bicknell - bicknell () ufp org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Current thread:
- RE: How to fix authentication (was LinkedIn), (continued)
- RE: How to fix authentication (was LinkedIn) Drew Weaver (Jun 20)
- Re: How to fix authentication (was LinkedIn) Aaron C. de Bruyn (Jun 20)
- Re: How to fix authentication (was LinkedIn) Alexander Harrowell (Jun 21)
- Re: How to fix authentication (was LinkedIn) AP NANOG (Jun 21)
- Re: How to fix authentication (was LinkedIn) Ben Jencks (Jun 21)
- Re: How to fix authentication (was LinkedIn) Randy Bush (Jun 21)
- Re: How to fix authentication (was LinkedIn) Christopher Morrow (Jun 21)
- Re: How to fix authentication (was LinkedIn) AP NANOG (Jun 22)
- Re: How to fix authentication (was LinkedIn) Leo Bicknell (Jun 22)
- Re: How to fix authentication (was LinkedIn) Kyle Creyts (Jun 23)
- Re: How to fix authentication (was LinkedIn) AP NANOG (Jun 25)
- Re: LinkedIn password database compromised Rich Kulawiec (Jun 21)
- Re: LinkedIn password database compromised Dave Hart (Jun 21)
- Re: LinkedIn password database compromised Robert Bonomi (Jun 22)
- Re: LinkedIn password database compromised AP NANOG (Jun 22)
- RE: LinkedIn password database compromised Keith Medcalf (Jun 23)
- Re: LinkedIn password database compromised Joe Maimon (Jun 08)