W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1998

RE: authentication-02: threat of snooped password

From: Dave Kristol <dmk@research.bell-labs.com>
Date: Wed, 2 Sep 1998 19:47:08 -0400 (EDT)
Message-Id: <199809022347.TAA12899@aleatory.research.bell-labs.com>
To: http-wg@hplb.hpl.hp.com, paulle@microsoft.com
Paul Leach <paulle@microsoft.com> wrote:
  > [...]
  > This is the proposed replacement for the paragraph in question:
  > 
  > If a server permits users to select their own passwords, then the threat is
  > not only illicit access to documents on the server but also illicit access
  > to any other resources on other systems that the user protects with the same
  > password. Furthermore, in the server's password database, many of the
  > passwords may also be users' passwords for other sites. The owner or
  > administrator of such a system could conceivably incur liability if this
  > information is not maintained in a secure fashion.

Just a (what else?) nit:  the word "illicit" makes me uncomfortable.
How about "unauthorized"?

I'm also inclined to agree with Scott's remarks about "liability".
Perhaps the last sentence should read:

    The owner or administrator of such a system could therefore expose
    all users of the system to the risk of unauthorized access of all
    those accounts if this information is not maintained in a secure
    fashion.

Dave Kristol
Received on Wednesday, 2 September 1998 16:49:32 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:23 EDT