On 10/6/2015 8:01 PM, Dr. Anthony Gabrielson wrote:
PGP is not a monolithic data store although it can interface with
one. DoD encryption boxes are not monolithic. It all depends on the
model and how trust is defined and established.
/etc/passwd is. So is every web service authentication syste
I’m not going to go back and forth about this all night… So I’m signing off of
this thread after this response else it turns into a classic tl;dr.
> On Oct 6, 2015, at 7:55 PM, Rich Pieri wrote:
>
> On 10/6/2015 7:30 PM, Anthony Gabrielson wrote:
>> No…
>
> Yes. It's a monolithic data store w
On 10/6/2015 7:30 PM, Anthony Gabrielson wrote:
No…
Yes. It's a monolithic data store with every user's identifying
credentials in it. It doesn't matter how that data is stored. It doesn't
matter what transformations are performed on that data. It's still in
one place and the whole thing can
On 10/6/2015 5:12 PM, Edward Ned Harvey (blu) wrote:
I have no idea what RP was talking about, or if there was a point at
all, but Anthony, you're right. I know in CBCrypt, there is no basket
with all the eggs.
Yes, there is. The authenticating server has a piece of information for
each user w
> From: Discuss [mailto:discuss-bounces+blu=nedharvey@blu.org] On
> Behalf Of Dr. Anthony Gabrielson
>
> > On Oct 6, 2015, at 10:52 AM, Rich Pieri wrote:
> >
> > The problem isn't encryption or lack thereof. The problem is that the way
> > we handle authentication is fundamentally broken. Cen
The current, much reorganized draft is here:
https://docs.google.com/document/d/1E1D1vWP9uA97Yj5UuBPZXuQEPHARp-AhRqUOeQB2WPk/edit?pli=1
On Mon, Oct 05, 2015 at 06:59:29PM +, Kurt L Keville wrote:
> Fwded from Dave Taht... apologies if I am wading into the thread late...
>
> On Oct 6, 2015, at 10:52 AM, Rich Pieri wrote:
>
> The problem isn't encryption or lack thereof. The problem is that the way we
> handle authentication is fundamentally broken. Centralized authentication is
> literally an all eggs in one basket deal. Steal the basket and you get all
> the e
The problem isn't encryption or lack thereof. The problem is that the
way we handle authentication is fundamentally broken. Centralized
authentication is literally an all eggs in one basket deal. Steal the
basket and you get all the eggs.
The problem is compounded by a bass-ackwards verificati
This is the reason why you should care about authentication and encryption
happening without exposing passwords or encryption keys to servers. In this
case, it was hackers planting a malicious DLL to capture plaintext passwords
received during HTTPS login sessions, but there's nothing preventing
