On 4/24/20 5:01 PM, Bryan Holloway wrote:
On 4/24/20 4:58 PM, Michael Thomas wrote:
On 4/23/20 8:48 PM, Matt Palmer wrote:
On Thu, Apr 23, 2020 at 07:47:58PM -0700, Michael Thomas wrote:
On 4/23/20 7:35 PM, Matt Palmer wrote:
While I do think webauthn is a neat idea, and solves at least one
very real
problem (credential theft via phishing), you do an absolutely
terrible job
of making that case.
see RFC 4876, it is not about phishing. not even a little bit.
Never has
been.
Whilst I do *absolutely* agree with you that "A Configuration
Profile Schema
for Lightweight Directory Access Protocol (LDAP)-Based Agents" is
"not about
phishing, not even a little bit", I'm not entirely sure how it
advances your
argument.
sorry, 7486.
Mike
Shall we play a game?
https://en.wikipedia.org/wiki/Mastermind_(board_game)
The point is that shared passwords over the net have nothing to do with
phishing per se, and everything to do with if I get one of your
passwords, i get them all. phishing is one way to do that. but there are
plenty of other ways too. gross incompetence as was the case of LinkedIn
was my impetus hacking up a pre-webauthn which Steven and Paul happened
to see which caused us to write our experimental RFC. We weren't think
about phishing at all, or at least I wasn't.
Here's what i wrote about it in 2012.
https://rip-van-webble.blogspot.com/2012/06/using-asymmetric-keys-for-web-joinlogin.html
Mike
