ietf
[Top] [All Lists]

Re: Security for various IETF services

2014-04-07 06:02:08
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Brian's response covers the issues very well I think. (Thanks.)

Just one thing to add...

On 04/07/2014 11:09 AM, Brian Trammell wrote:
I think the practical risk here is only of vandalism, creating a
mess in the datatracker that it would take a fair amount of work to
clean up. Any impersonation materially impacting the process would 
presumably (hopefully) be detected by the impersonated themselves. 
And the possibility of someone actually doing this certainly seems 
far-fetched, but so do so many of the things one reads in the
press these days on this subject.

Given that password re-use over many services is common, there is
also the not at all insignificant risk that any credentials captured
could be abused elsewhere with more impact.

Yes, we ought move away from passwords if/when we ever find an
acceptably better solution, and yes, people ought manage their
passwords well, but neither are today's reality more's the pity.

S.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQEcBAEBAgAGBQJTQoWPAAoJEC88hzaAX42iAZ0H/AherdQFB54RMS/Puiwmk+qb
VzA+CbYotJKKrt6NHcQt9wi0SxkC9e9zIhtxUAMdHxxOd0X2KOu00tSJsYPEhoaz
CC7s3woqCiQp8vQj2FqE7fEKFIxohModpUlbKidLq/JdkJ3zW9/9tMGeffoGoFLg
j/B9tNr9vlCW3I+ZqyaKMUneEKwYB/YYyli/iEIzztsuGoWFu6xfSnOYQG1+Bdre
27ec95FMAkBNTF2x/KOZ+FN8o1i92XzzXUNRCwTmWn3iqmp9rJ3OQAst0lkDOzzv
k36rQx2r9uU1lpJProty2dQOTOf2GTmlE+QZ7BJC4g9O3Dn/Y+eMvHnWF1OwS8s=
=MXlA
-----END PGP SIGNATURE-----