Re: Draft charters available; please comment. from Amir Herzberg on 2006-06-22 (public-usable-authentication@w3.org from June 2006)

From: Amir Herzberg <amir.herzberg@gmail.com>
Date: Thu, 22 Jun 2006 09:29:58 +0300
To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
CC: public-usable-authentication@w3.org
Message-ID: <449A38E6.5000403@cs.biu.ac.il>

Mary Ellen Zurko wrote:
>
> >  
> >   - Web Security Context Baseline.
> >     http://www.w3.org/2005/Security/wsc-charter
> >    
> >     Think of this as "Secure Metadata" and "Secure Chrome" put
> >     together:  What should user agents display, and how can
> >     they do this securely?
>
> No surprise to anyone on this list, I like this one. I think it 
> provide real value, both against attacks and as a foundation to other 
> works. It explicitly goes after the space of what can be spoofed, 
> which needs more attention. 
Agree.
> >   - Form Annotations for HTTP Authentication.
> >     http://www.w3.org/2005/Security/htmlauth-charter
> >    
> >     Think of this as form-filler support on steroids, as
> >     sketched in late May on this list.
>
> I'm less excited about this one, but it could be that I don't have the 
> full vision. What irks me about this one is that passwords aren't the 
> only thing. In fact, they're not even always the most useful thing. 
> Other PII like credit card numbers, SSN, etc. are still ripe forms of 
> attack. 
Some of this subject is indeed not limited to passwords, and I think the 
charter should be modified to allow for other sensitive data entered by 
web users (typically on forms).
> So what I don't get about this one is "why"? If it's "just" to provide 
> an excellent foundation for exploring solultions that need this 
> feature, then I do get that, because there's research that's having 
> problems with this. I'm missing why if protecting passwords is the 
> question, Digest isn't the answer. It may be obvious to pretty much 
> everyone else, so apoligies if it is.
The problem is not, imho, the (bad) use of passwords on the clear. The 
problem is mainly phishing - people entering passwords into wrong sites 
- combined with dictionary attacks (people using weak passwords) and the 
infamous password-reuse problem (using same password for multiple sites).

I think we have good solutions here and one of the missing components is 
browser support - for identifying these fields, for changing to a 
software-generated password automatically, and for the UI (which should 
be integrated with the secure chrome work item).

Best, Amir Herzberg

Received on Thursday, 22 June 2006 06:30:31 UTC