I would suggest that multiple models be pursued (since each appears to have a champion) and that the market/drafting process will resolve the issue of which is better (which is okay by me: widespread adoption of any of the proposed models would advance the state of the norm; progress beats the snot out of stagnation in my book)
My earlier replies were reprehensible. This is not a thread that should just be laughed off. Real progress may be occurring here, and at the least, good knowledge and discussion is accumulating in a way which may serve as a resource for the curious or concerned. On Jun 22, 2012 7:25 AM, "Leo Bicknell" <bickn...@ufp.org> wrote: > In a message written on Thu, Jun 21, 2012 at 04:48:47PM -1000, Randy Bush > wrote: > > there are no trustable third parties > > With a lot of transactions the second party isn't trustable, and > sometimes the first party isn't as well. :) > > In a message written on Thu, Jun 21, 2012 at 10:53:18PM -0400, Christopher > Morrow wrote: > > note that yubico has models of auth that include: > > 1) using a third party > > 2) making your own party > > 3) HOTP on token > > 4) NFC > > > > they are a good company, trying to do the right thing(s)... They also > > don't necessarily want you to be stuck in the 'get your answer from > > another' > > Requirements of hardware or a third party are fine for the corporate > world, or sites that make enough money or have enough risk to invest > in security, like a bank. > > Requiring hardware for a site like Facebook or Twitter is right > out. Does not scale, can't ship to the guy in Pakistan or McMurdo > who wants to sign up. Trusting a third party becomes too expensive, > and too big of a business risk. > > There are levels of security here. I don't expect Facebook to take > the same security steps as my bank to move my money around. One > size does not fit all. Making it so a hacker can't get 10 million > login credentials at once is a quantum leap forward even if doing > so doesn't improve security in any other way. > > The perfect is the enemy of the good. > > -- > Leo Bicknell - bickn...@ufp.org - CCIE 3440 > PGP keys at http://www.ufp.org/~bicknell/ >