On Nov 8, 2013, at 5:19 PM, Phillip Hallam-Baker
<hallam(_at_)gmail(_dot_)com<mailto:hallam(_at_)gmail(_dot_)com>> wrote:
On Fri, Nov 8, 2013 at 1:02 PM, Michael Richardson
<mcr(_at_)sandelman(_dot_)ca<mailto:mcr(_at_)sandelman(_dot_)ca>> wrote:
"Phillip" == Phillip Hallam-Baker
<hallam(_at_)gmail(_dot_)com<mailto:hallam(_at_)gmail(_dot_)com>> writes:
Phillip>
http://www.reuters.com/article/2013/11/08/net-us-usa-security-snowden-idUSBRE9A703020131108
Phillip> I think that the lesson we should draw from this is that no
Phillip> organization is capable of using password based security
Phillip> effectively. People like passwords because they are
Phillip> convenient, one of the reasons that they are convenient is
Phillip> that they can be shared.
Exactly. And that means that any non-password systems that does not permit
authority to be delegated will fail to be adopted in places where people
need to share.
Fortunately, we have some really good mechanisms on the books that
permit delegation including OAUTH*, KeyNote(2704), SASL (I think) and
even going back to SPKI (rfc2693). I know that there are more.
Supporting delegation is easy.
Supporting delegation in a way that ordinary people can understand is very hard.
In any organization where passwords are used, changing the authorization to
allow you access (aka delegation) is much harder than using my credentials to
let you access. With other kinds of credentials, the balance might change. But
I don't think so. If you ask me to access whatever, it's easier to stick my
finger on the necessary fingerprint reader, giving you my phone, my USB dongle
or my OTP token is way easier than filling out the necessary forms to give you
authorization. Can't fix that with technology.