W3C home > Mailing lists > Public > public-wai-ert@w3.org > October 2006

Re: EARL security/privacy concerns

From: Charles McCathieNevile <chaals@opera.com>
Date: Thu, 26 Oct 2006 18:53:01 +1000
To: "Johannes Koch" <johannes.koch@fit.fraunhofer.de>, public-wai-ert@w3.org
Message-ID: <op.th0tmneqwxe0ny@widsith.local>

On Thu, 26 Oct 2006 17:42:46 +1000, Johannes Koch  
<johannes.koch@fit.fraunhofer.de> wrote:

>
> Carlos Iglesias schrieb:
>> However there is some information in the "HTTP Vocabulary in RDF" that  
>> is clearly sensitive. My first thoughts are for the "authorization"  
>> property which contains the userid and password, specially in "Basic  
>> Authentication" that relies just on a base64 encoded string.
>
> Because it is the same in the HTTP protocol itself, I don't see the need  
> for additionally encrypting it for EARL.

If you want to encrypt it in EARL you could use a hashing algorithm. I  
suspect that in many cases it makes more sense to use a URI that has  
nothig to do with the original password as an identifier.

An example use case would be describing the characteristics of a system  
that customises itself according to who you login as (W3C has a number of  
these in its member area, and Opera has them in our intranet). It depends  
on how much protection you want - publishing an encrypted password is not  
quite as foolish as publishing it unecrypted, but it is not that  
infeasible to crack most encryption methods. Better to mint a URI that is  
seperate, and doesn't have any relation to the password itself. Even in an  
automated system you could do this - get the user ID number, and use that  
to generate the identifier. The only place this breaks is where the  
password itself is significant. And it has the benefit of working even if  
I change my password every 10 days (as required in some security systems).

So I still think we should do nothing, but might explain this issue in  
informative text.

cheers

chaals

-- 
   Charles McCathieNevile, Opera Software: Standards Group
   hablo español  -  je parle français  -  jeg lærer norsk
chaals@opera.com          Try Opera 9 now! http://opera.com
Received on Thursday, 26 October 2006 09:22:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:27 GMT