mike at mtcc.com
Sat Apr 25 00:16:28 UTC 2020
On 4/24/20 5:01 PM, Bryan Holloway wrote:
> On 4/24/20 4:58 PM, Michael Thomas wrote:
>> On 4/23/20 8:48 PM, Matt Palmer wrote:
>>> On Thu, Apr 23, 2020 at 07:47:58PM -0700, Michael Thomas wrote:
>>>> On 4/23/20 7:35 PM, Matt Palmer wrote:
>>>>> While I do think webauthn is a neat idea, and solves at least one
>>>>> very real
>>>>> problem (credential theft via phishing), you do an absolutely
>>>>> terrible job
>>>>> of making that case.
>>>> see RFC 4876, it is not about phishing. not even a little bit.
>>>> Never has
>>> Whilst I do *absolutely* agree with you that "A Configuration
>>> Profile Schema
>>> for Lightweight Directory Access Protocol (LDAP)-Based Agents" is
>>> "not about
>>> phishing, not even a little bit", I'm not entirely sure how it
>>> advances your
>> sorry, 7486.
> Shall we play a game?
The point is that shared passwords over the net have nothing to do with
phishing per se, and everything to do with if I get one of your
passwords, i get them all. phishing is one way to do that. but there are
plenty of other ways too. gross incompetence as was the case of LinkedIn
was my impetus hacking up a pre-webauthn which Steven and Paul happened
to see which caused us to write our experimental RFC. We weren't think
about phishing at all, or at least I wasn't.
Here's what i wrote about it in 2012.
More information about the NANOG