Phillip Hallam-Baker <phill@xxxxxxxxxxxxxxx> wrote:
> Yes, I get the fact that some people have this weird idea they are
> going to get rid of passwords with passkeys. But in the real world,
> passwords are going to be with us for a very long time and even longer
sadly, you are right.
> The Android password overspill vulnerability is currently going the
> rounds. It is a serious but manageable problem. The problem being that
> managing it requires an industry wide effort to deploy infrastructure
> that makes use of password managers secure and that is off message
> right now because all the majors are trying to make passwords obsolete.
I'm curious where you are seeing the "offmessage" push.
> Let me make an unwelcome suggestion - the way to achieve global
> deployment of passkeys is to grease the wheels for deployment of
> password managers.
I agree.
> Imagine a world in which every application, of which browsers are only
> one instance, supports a common interface to a password manager that
> resides IN THE PLATFORM and connects to the password management service
> of the user's choice. OSX and Windows already have much of the
> necessary infrastructure to support that already. Call this 'Open
> Password Manager'
> Such a protocol would of course be making heavy use of public key
> cryptography behind the scenes. (And if you let me write the spec, it
> will use threshold cryptography so that the password management service
> has no access to the credentials stored.)
I think that you are proposing a kind of challenge/response protocol where
responses can be plaintext passwords, or passkeys, or something new.
I'm reminded of X9.9, and that we basically did the server side of this over
radius almost 30 years ago.
> So what I am arguing for here is a strategy where instead of looking
> only at the final end state and designing that, we acknowledge the need
> for deployment infrastructure and the fact that we might need to fix
> the thing we want to get rid of as part of the getting rid of it
> strategy.
I agree with you.
> Here in Boston, we had this thing called the Big Dig. One of the very
> expensive and complex parts of the project was the construction of a
> connector from the old raised highway to the new sunk one. This was
> built, used for a few years and then demolished.
> If we want to get rid of passwords, we don't necessarily have to do it
> my way but I am certain we have to think about deployment as the
> biggest part of the problem
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr@xxxxxxxxxxxx http://www.sandelman.ca/ | ruby on rails [
--
Michael Richardson <mcr+IETF@xxxxxxxxxxxx> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
Attachment:
signature.asc
Description: PGP signature
