W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2011

Re: [apps-discuss] [http-auth] [saag] [websec] [kitten] HTTP authentication: the next generation

From: John C Klensin <john-ietf@jck.com>
Date: Sun, 09 Jan 2011 13:22:04 -0500
To: Marsh Ray <marsh@extendedsubset.com>
cc: apps-discuss@ietf.org, "Roy T. Fielding" <fielding@gbiv.com>, websec <websec@ietf.org>, Robert Sayre <sayrer@gmail.com>, kitten@ietf.org, http-auth@ietf.org, saag@ietf.org, Ben Laurie <benl@google.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <C8C831FBFA69BCE4EBCA1F5C@PST.JCK.COM>


--On Saturday, January 08, 2011 15:32 -0600 Marsh Ray
<marsh@extendedsubset.com> wrote:

> On 01/08/2011 10:07 AM, Phillip Hallam-Baker wrote:
>> I think that Ben is right that we are solving the wrong
>> problem.
> 
> I think Ben is nearly always right. :-)
> 
> But let me toss out a different perspective. I'll try
> carefully and hope that this doesn't come across as trolling,
> but it is a bit contrarian (hopefully in a good way).
>...

Well, actually, I think this is constructive, useful, and rather
nicely describes the other side of the problem.  

I would add that one important variation on "Person = Identity =
Email address" has historically involved the use of
subaddresses.  Not only do they help considerably with mail
management (pretty much their original purpose) but they provide
an additional  (weak but convenient) measure against email fraud
and identify theft attempts (if I know that mail from my bank is
going to be addressed to "john+12345@example.com" because that
is the only address they have, then it is pretty clear where
mail that supposedly comes from them but is addressed to
"john+LargeRetailer@example.com" should be routed.   Obviously,
if an address that is used for only one vendor or correspondent
gets into the hands of a spammer, it is lots easier to fix that
problem as well.  

Address-per-correspondent also makes password-per-correspondent
much easier too.

Lots of web sites and providers have been really resistant to
that approach.  I had assumed before this that the problem was
just stupidity, but parts of your comments could be expanded to
lead to the inference that having me use more than one address
is not in their interests.    Whatever becomes of that tradeoff,
the IETF should not, IMO, be doing things that encourage them in
directions that reduce our privacy and ability to control our
identities. 

>...
> Which is why everyone just has one email address? Come on,
> most people have several. And often they do so for a reason,
> it's not just that people get new ISPs or switch for new
> features all the time. I train my kids to lie about their
> names and ages when they do stuff online. They don't have
> emails.
> 
> You don't have a personal email and a work email at least?
>...

exactly.  with the emphasis on "at least"

>...
> Bad things happen when you force-fit the wrong model on to the
> design. Security and privacy are always the first to go.
> (Somewhere I saw the other day somebody seriously proposing
> using Facebook as a centralized identity authority.) More
> subtly, people find the system harder to use, and overall they
> just don't like it or trust it as much. People won't use it,
> or they'll use it and not like it, or they won't use it as
> much, or they'll figure out a way to defeat it.

Indeed.  In all of the really significant cases, probably the
latter.  If I had a nickel for every sticky note with a password
(sometimes slightly-disguised) stuck to a screen...  But those
notes are precisely a workaround for "you have to change your
password frequently, you can't share passwords between systems,
and we will insist by various means that you passwords are
strong and that a given password is not obviously derivable from
its predecessors" policies.

>...

   john
Received on Sunday, 9 January 2011 18:22:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:36 GMT