[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

mail admins?

On 4/24/20 5:01 PM, Bryan Holloway wrote:
> On 4/24/20 4:58 PM, Michael Thomas wrote:
>> On 4/23/20 8:48 PM, Matt Palmer wrote:
>>> On Thu, Apr 23, 2020 at 07:47:58PM -0700, Michael Thomas wrote:
>>>> On 4/23/20 7:35 PM, Matt Palmer wrote:
>>>>> While I do think webauthn is a neat idea, and solves at least one 
>>>>> very real
>>>>> problem (credential theft via phishing), you do an absolutely 
>>>>> terrible job
>>>>> of making that case.
>>>> see RFC 4876, it is not about phishing. not even a little bit. 
>>>> Never has
>>>> been.
>>> Whilst I do *absolutely* agree with you that "A Configuration 
>>> Profile Schema
>>> for Lightweight Directory Access Protocol (LDAP)-Based Agents" is 
>>> "not about
>>> phishing, not even a little bit", I'm not entirely sure how it 
>>> advances your
>>> argument.
>> sorry, 7486.
>> Mike
> Shall we play a game?
> https://en.wikipedia.org/wiki/Mastermind_(board_game)

The point is that shared passwords over the net have nothing to do with 
phishing per se, and everything to do with if I get one of your 
passwords, i get them all. phishing is one way to do that. but there are 
plenty of other ways too. gross incompetence as was the case of LinkedIn 
was my impetus hacking up a pre-webauthn which Steven and Paul happened 
to see which caused us to write our experimental RFC. We weren't think 
about phishing at all, or at least I wasn't.

Here's what i wrote about it in 2012.