W3C home > Mailing lists > Public > public-html@w3.org > June 2008

Re: Proposed Final Review of W3C TAG Finding "Passwords in the Clear"

From: Mark Baker <distobj@acm.org>
Date: Wed, 25 Jun 2008 00:43:04 -0400
Message-ID: <e9dffd640806242143w24e7ed21ufebb96122d4033cf@mail.gmail.com>
To: "Justin James" <j_james@mindspring.com>
Cc: public-html@w3.org

On Wed, Jun 25, 2008 at 12:22 AM, Justin James <j_james@mindspring.com> wrote:
> So, anyone not using HTTP 403 style authentication with Digest must use SSL?
> I really do not see this happening. There are far too many sites in which
> the capture of a password is fairly unimportant and/or the owners of the
> site cannot afford an SSL certificate. Additionally, to enforce this at the
> browser level with the "MUST NOT" phrasing is unrealistic;

Yup.  I've mentioned this a few years ago on www-tag about another
finding (or AWWW even, can't remember), but I don't think RFC 2119
terms are suitable for use by a TAG finding, especially in contexts
such as a "best practice".  How can something be a best practice *and*
required in all situations without exception?! 8-O

RFC 2119 was designed for use by those defining Internet protocols,
not advice for developers.  I think if the finding removed all
references to those terms, it would be fine.

Received on Wednesday, 25 June 2008 04:43:40 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:35 UTC