Re: How US military base in Hawaii was compromised - Password sharing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On Nov 8, 2013, at 5:19 PM, Phillip Hallam-Baker <hallam@xxxxxxxxx> wrote:




On Fri, Nov 8, 2013 at 1:02 PM, Michael Richardson <mcr@xxxxxxxxxxxx> wrote:

>>>>> "Phillip" == Phillip Hallam-Baker <hallam@xxxxxxxxx> writes:
    Phillip> http://www.reuters.com/article/2013/11/08/net-us-usa-security-snowden-idUSBRE9A703020131108

    Phillip> I think that the lesson we should draw from this is that no
    Phillip> organization is capable of using password based security
    Phillip> effectively. People like passwords because they are
    Phillip> convenient, one of the reasons that they are convenient is
    Phillip> that they can be shared.

Exactly.  And that means that any non-password systems that does not permit
authority to be delegated will fail to be adopted in places where people
need to share.

Fortunately, we have some really good mechanisms on the books that
permit delegation including OAUTH*, KeyNote(2704), SASL (I think) and
even going back to SPKI (rfc2693).  I know that there are more.

Supporting delegation is easy.

Supporting delegation in a way that ordinary people can understand is very hard.

In any organization where passwords are used, changing the authorization to allow you access (aka delegation) is much harder than using my credentials to let you access. With other kinds of credentials, the balance might change. But I don't think so. If you ask me to access whatever, it's easier to stick my finger on the necessary fingerprint reader, giving you my phone, my USB dongle or my OTP token is way easier than filling out the necessary forms to give you authorization. Can't fix that with technology.

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]