Re: delegation and passwordsInTheClear-52

I'm confused. 

Why can't this transmission be SSL/TLS/HTTPS protected? I'm sure I'm 
missing something super obvious. 

          Mez





From:
Dan Connolly <connolly@w3.org>
To:
www-tag <www-tag@w3.org>, public-usable-authentication@w3.org
Date:
06/25/2008 10:30 AM
Subject:
delegation and passwordsInTheClear-52
Sent by:
public-usable-authentication-request@w3.org




I wonder about this:

"Every scenario that involves possibly transmitting passwords in the
clear can be redesigned for the desired functionality without a
cleartext password transmission."
  -- http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20080602

W3C has tried to stamp out cleartext passwords on its own
web site a few times, but one of the main blockers, aside from
buggy support for digest in various bits of software, is delegation.

W3C has a few forms-based services that use
cleartext passwords for delegation; e.g. our XSLT service
  http://www.w3.org/2005/08/online_xslt/#authinfo

If you want to use the service on password-protected pages,
you just put the credentials in a form and it uses them.

The main use case is password-protected pages inside w3.org
(though I'm not sure that's technically enforced) so it's
not really all *that* much less secure than sending credentials
to get the actual password-protected page. Still, yes,
it makes many of us uncomfortable.

How can these delegated services be "redesigned for the desired
functionality without a cleartext password transmission."

The W3C systems team has been looking at this for several
years without finding a solution.

-- 
Dan Connolly, W3C http://www.w3.org/People/Connolly/
gpg D3C2 887B 0F92 6005 C541  0875 0F91 96DE 6E52 C29E

Received on Friday, 27 June 2008 12:09:25 UTC