Kyle, I may be mistaken here, but I don't believe anyone is truly laughing the matter off. There may have been some remarks about second or third parties, but the fact does remain these are the areas which current concerns still lay. -- Robert Miller (arch3angel) On 6/24/12 1:02 AM, Kyle Creyts wrote:
I would suggest that multiple models be pursued (since each appears to have a champion) and that the market/drafting process will resolve the issue of which is better (which is okay by me: widespread adoption of any of the proposed models would advance the state of the norm; progress beats the snot out of stagnation in my book)
My earlier replies were reprehensible. This is not a thread that should just be laughed off. Real progress may be occurring here, and at the least, good knowledge and discussion is accumulating in a way which may serve as a resource for the curious or concerned. On Jun 22, 2012 7:25 AM, "Leo Bicknell" <bicknell@ufp.org> wrote:
In a message written on Thu, Jun 21, 2012 at 04:48:47PM -1000, Randy Bush wrote:
there are no trustable third parties With a lot of transactions the second party isn't trustable, and sometimes the first party isn't as well. :)
In a message written on Thu, Jun 21, 2012 at 10:53:18PM -0400, Christopher Morrow wrote:
note that yubico has models of auth that include: 1) using a third party 2) making your own party 3) HOTP on token 4) NFC
they are a good company, trying to do the right thing(s)... They also don't necessarily want you to be stuck in the 'get your answer from another' Requirements of hardware or a third party are fine for the corporate world, or sites that make enough money or have enough risk to invest in security, like a bank.
Requiring hardware for a site like Facebook or Twitter is right out. Does not scale, can't ship to the guy in Pakistan or McMurdo who wants to sign up. Trusting a third party becomes too expensive, and too big of a business risk.
There are levels of security here. I don't expect Facebook to take the same security steps as my bank to move my money around. One size does not fit all. Making it so a hacker can't get 10 million login credentials at once is a quantum leap forward even if doing so doesn't improve security in any other way.
The perfect is the enemy of the good.
-- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/