W3C home > Mailing lists > Public > public-usable-authentication@w3.org > February 2008

RE: Re[2]: Draft W3C TAG Finding "Passwords in the Clear" available for review

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Thu, 14 Feb 2008 11:40:41 -0800
Message-ID: <2788466ED3E31C418E9ACC5C3166155720762E@mou1wnexmb09.vcorp.ad.vrsn.com>
To: "Chris Drake" <christopher@pobox.com>
Cc: "David Orchard" <dorchard@bea.com>, <public-usable-authentication@w3.org>

 


From: Chris Drake [mailto:christopher@pobox.com] 
>> 4) Passwords belong to users, users should decide who manages them.

>Good point

>> It follows therefore that any site which requires a password to be 
>> supplied ...

>Well - technically - you've made a mistake already.  If passwords
belong to users, then there should 
>never be any way for users to give passwords to sites.  This comes back
to the hashing problem again, 
>with the added annoyance of requiring universal user-agent support for
something secure as well.


Well that is the risk you face when you have an idea in mid-message and
promote it to a heading.

But your argument does not quite work. My money belongs to me but I keep
it in the bank. It follows that it is reasonable for me to give my
password to an identity authority acting on my behalf. I should not need
to give my password to the nytimes just to read an article.
Received on Thursday, 14 February 2008 19:41:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:15 GMT