W3C home > Mailing lists > Public > public-html@w3.org > June 2008

RE: Proposed Final Review of W3C TAG Finding "Passwords in the Clear"

From: Justin James <j_james@mindspring.com>
Date: Wed, 25 Jun 2008 00:58:12 -0400
To: "'Mark Baker'" <distobj@acm.org>
Cc: <public-html@w3.org>
Message-ID: <0a6201c8d680$11e1fc80$35a5f580$@com>

Mark -

Great summary of my thoughts. If this is reworded to be a simple, "hey,
don't send passwords in the clear unless you have a really good reason for
it" piece, then I have no problem with it. :)

J.Ja

-----Original Message-----
From: public-html-request@w3.org [mailto:public-html-request@w3.org] On
Behalf Of Mark Baker
Sent: Wednesday, June 25, 2008 12:43 AM
To: Justin James
Cc: public-html@w3.org
Subject: Re: Proposed Final Review of W3C TAG Finding "Passwords in the
Clear"


On Wed, Jun 25, 2008 at 12:22 AM, Justin James <j_james@mindspring.com>
wrote:
>
> So, anyone not using HTTP 403 style authentication with Digest must use
SSL?
> I really do not see this happening. There are far too many sites in which
> the capture of a password is fairly unimportant and/or the owners of the
> site cannot afford an SSL certificate. Additionally, to enforce this at
the
> browser level with the "MUST NOT" phrasing is unrealistic;

Yup.  I've mentioned this a few years ago on www-tag about another
finding (or AWWW even, can't remember), but I don't think RFC 2119
terms are suitable for use by a TAG finding, especially in contexts
such as a "best practice".  How can something be a best practice *and*
required in all situations without exception?! 8-O

RFC 2119 was designed for use by those defining Internet protocols,
not advice for developers.  I think if the finding removed all
references to those terms, it would be fine.

Mark.
Received on Wednesday, 25 June 2008 04:59:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:55 UTC