Talk:SQRL

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computing (Rated Start-class, Low-importance)
WikiProject icon This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 Low  This article has been rated as Low-importance on the project's importance scale.
 

More headings; First Article[edit]

Hi, this is my first new article. There is scope for several bullet points between "Motivation" and "Example use case" for more information about the workings of the protocol.Dagelf (talk) 13:09, 15 October 2013 (UTC)

Hello, and thanks. Better yet would be to use English prose instead of bullet points. This is supposed to be an encyclopedia, not a promotional brochure. Also please to give context and specific dates for things. For example, calling it a "standard" seems a bit presumptuous. Which official international standards body has published it? If none, then just say it is a "technology" promoted by XXX<ref>{{Cite ...}}</ref> W Nowicki (talk) 00:30, 17 November 2013 (UTC)

Limitations[edit]

This was added to the article:

Much like the more conventional username-and-password solution, SQRL authentication is potentially vulnerable to a Man-in-the-middle attack (aka "phishing"). Unlike usernames and passwords, SQRL limits the scope of the breach insomuch as the attacker only gains one authenticated session, rather than an unlimited number of future sessions and furthermore removes the possibility for the attacker to change the password (effectively locking out the user indefinitely).

This seems to be based on old information and doesn't adequately describe the phishing protections it does have, unlike other authentication methods. https://www.grc.com/sqrl/phishing.htm A limitation is to suggest other methods can do this, but this one can't. So, I don't think this opinion shouldn't be presented as a section title. It would be more appropriate to call the phishing protections an advantage over every other authentication method. Morphh (talk) 22:20, 3 November 2013 (UTC)
Can you please specify which part you think is based on old information, and how, exactly, "limitations" might imply it is "inferior" to another authentication mechanism, rather than simply having a "limit" to it's goodness? Even global acceptance of SQRL would not negate phishing attacks, they would just become different & more elaborate (e.g. an attacker could say "our click-to-login system is down, please scan with your mobile device to login") it is important that people understand the limitations of the system. --Osndok (talk) 16:33, 4 November 2013 (UTC)
It seemed to be based on information released prior to the new phishing protections added, since it didn't mention the same ip policy which would only make this attack effective when using cross device authentication. With the term "limitations", I think the larger issue was the heading where just mentioning such in prose would be more acceptable. As such, section headers must follow WP:STRUCTURE are reserved for major areas of the article. So perhaps a section on "Security protections", then a sub-section on "Phishing" with a couple sentences that discuss the limits. I don't want to exclude the material, but it has to be placed in relative context, give weight to the protections it offers, and be careful not to get into WP:SPECULATION. The fact that it offers any protection to phishing is major point, which should be the focus of any such section. Morphh (talk) 17:23, 4 November 2013 (UTC)

Biased article / notability?[edit]

I'm not seeing any clear indication that this is notable yet. Doing a bit of searching, I'm seeing basically no mainstream coverage of this, there are many claims in here about the security of this method which are not substantiated by anything except the claims of the original author of the protocol. There's also a fair amount of WP:SYNTH in the actual writeup. I'm going to proactively remove this particularly egregious segment:

The development of the protocol is an example of the marketplace of ideas on the Internet. There has been QR code based login and authentication experimentation previously, but the openness and simplicity of this specific implementation, as well as the size of the listenership of the podcast, has created the necessary gravity for the computer security community to move to adopt the protocol.[3][4][5][6][7][8][9][10]

Nothing of the sort is claimed in ANY of the references. References 3-10 are just other examples of QR-code based login.

In any case, I think this article doesn't meet the Notability requirements, so I suggest that if there's any useful content here, it be merged into Gibson's page and possibly QR code. For now I'm tagging this with notability rather than AfD, because I think we can probably handle this as a merge into Gibson's page rather than deletion. 0x0077BE [talk/contrib] 17:04, 22 July 2014 (UTC)

I've added a little to the page, but it does still need more work. peterl (talk) 23:05, 22 July 2014 (UTC)
The additional references help the article quality, but none of them actually establish notability, as they are all forum and blog posts - and they're all from immediately after the initial announcement (no sustained coverage). I think a merge to QR Codes or Gibson's article is appropriate.0x0077BE [talk/contrib] 04:48, 23 July 2014 (UTC)
Oppose - I don't see this as biography information, or something that should be included in QR Code. It's beyond a stub and has enough visibility, particularly in the security community, to receive it's own article. The TechRepublic article is a WP:NEWSBLOG, not personal, so the quality for it is fine. The claims by the author are also fine so long as they are attributed, as he is the authority on it (as is his website as a source). SQRL has several websites dedicated to describing the technology, has been discussed several times on very popular webtv shows, has software being developed on most platforms (which will be available in marketplaces such as Google Play & Apple's Appstore). So I don't see any sense in merging this with another article - it's fine on its own. Morphh (talk) 12:56, 23 July 2014 (UTC)
Well, the other option was to merge it into QR Codes, which even has a section on it for "web authentication". I'm still not seeing anything establishing notability. Some smatterings of discussion on forums right after the announcement, plus a few apps in an app store to allow for it to be supported? No one supports using SQRL, it has had almost no mainstream coverage and basically no coverage after the initial announcement. If it starts getting adopted that's fine, but Wikipedia is not a crystal ball.
Anyway, I'm thinking that at this point, since it seems like at least Peterl and I have tried searching for sources to establish notability and failed, and I'm guessing you have as well Morphh, it's probably time to move to AfD stage (it might have been appropriate to start with AfD instead of proposing deletion/merger in the Talk page like this, but I figured it'd be better to see if anyone comes up with citations to establish notability first). 0x0077BE [talk/contrib] 14:18, 23 July 2014 (UTC)
The AfD discussion can be found here. I've notified three relevant WikiProjects (Cryptography, Computing, Computer Security). 0x0077BE [talk/contrib] 14:44, 23 July 2014 (UTC)
I think you followed a good process to try and request sources. I do admit the sourcing is limited but think what we have is enough to establish notability. We would not yet expect adoption or support - it's too soon and they just finished establishing the standard, but according to Gibson, he's in talks with W3C. The article is getting page views and is not an orphan. Morphh (talk) 15:17, 23 July 2014 (UTC)
If his talks with W3C work out and it gets implemented as some sort of standard spec or basically if any independent sources start paying attention to and covering SQRL, then I'd have no problem with the article being re-created, but that's not the case now, so SQRL is not notable yet. See WP:CBALL and WP:DEADLINE. 0x0077BE [talk/contrib] 16:20, 23 July 2014 (UTC)