On 4/24/20 5:01 PM, Bryan Holloway wrote:
On 4/24/20 4:58 PM, Michael Thomas wrote:
On 4/23/20 8:48 PM, Matt Palmer wrote:
On 4/23/20 7:35 PM, Matt Palmer wrote:
While I do think webauthn is a neat idea, and solves at least one very real problem (credential theft via phishing), you do an absolutely terrible job of making that case. see RFC 4876, it is not about phishing. not even a little bit. Never has been. Whilst I do *absolutely* agree with you that "A Configuration Profile Schema for Lightweight Directory Access Protocol (LDAP)-Based Agents" is "not about
On Thu, Apr 23, 2020 at 07:47:58PM -0700, Michael Thomas wrote: phishing, not even a little bit", I'm not entirely sure how it advances your argument.
sorry, 7486.
Mike
Shall we play a game?
The point is that shared passwords over the net have nothing to do with phishing per se, and everything to do with if I get one of your passwords, i get them all. phishing is one way to do that. but there are plenty of other ways too. gross incompetence as was the case of LinkedIn was my impetus hacking up a pre-webauthn which Steven and Paul happened to see which caused us to write our experimental RFC. We weren't think about phishing at all, or at least I wasn't. Here's what i wrote about it in 2012. https://rip-van-webble.blogspot.com/2012/06/using-asymmetric-keys-for-web-jo... Mike