W3C home > Mailing lists > Public > public-usable-authentication@w3.org > February 2008

Re: Draft W3C TAG Finding "Passwords in the Clear" available for review

From: James A. Donald <jamesd@echeque.com>
Date: Fri, 15 Feb 2008 14:27:00 +1000
Message-ID: <47B51494.2080903@echeque.com>
To: Chris Drake <christopher@pobox.com>
CC: "Hallam-Baker, Phillip" <pbaker@verisign.com>, David Orchard <dorchard@bea.com>, public-usable-authentication@w3.org

     --
Chris Drake wrote:
 > Well - technically - you've made a mistake already.
 > If passwords belong to users, then there should never
 > be any way for users to give passwords to sites.  This
 > comes back to the hashing problem again, with the
 > added annoyance of requiring universal user-agent
 > support for something secure as well.

I assume you are talking about SRP or something similar.

We all know that everyone should do passwords using SRP
- at least, all of us that know what SRP is.  I have
been giving some thought to the problem of making SRP
usable to your mother in law, and the guy who was given
the job of bringing up the web site because everyone
else was too busy, and it is no so simple as one might
think.  Has to be done, of course, and eventually will
be done, just saying it is a hard row to hoe.
Received on Friday, 15 February 2008 04:27:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:15 GMT