W3C home > Mailing lists > Public > public-wai-ert@w3.org > October 2006

RE: EARL security/privacy concerns

From: Carlos Iglesias <carlos.iglesias@fundacionctic.org>
Date: Fri, 27 Oct 2006 11:59:30 +0200
Message-ID: <09700B613C4DD84FA9F2FEA5218828190171B3ED@ayalga.fundacionctic.org>
To: "Johannes Koch" <johannes.koch@fit.fraunhofer.de>, <public-wai-ert@w3.org>

 
Hi Johannes,

> Carlos Iglesias schrieb:
> > However there is some information in the "HTTP Vocabulary 
> in RDF" that is clearly sensitive. My first thoughts are for 
> the "authorization" property which contains the userid and 
> password, specially in "Basic Authentication" that relies 
> just on a base64 encoded string.
> 
> Because it is the same in the HTTP protocol itself, I don't 
> see the need for additionally encrypting it for EARL.

The Basic authentication scheme is not a secure method, but some times you could use Basic Authentication because you rely on the physical network security (e.g. in a private intranet). If the physical network has gone (e.g. you share an EARL report outside the private network) the only security you get is the laughable base64.

I still think it's worth thinking about it and, at least, explain the issue in informative text.

Regards,
 CI.
 
--------------------------------------

Carlos Iglesias

CTIC Foundation
Science and Technology Park of Gijón
33203 - Gijón, Asturias, Spain 

phone: +34 984291212
fax: +34 984390612
email: carlos.iglesias@fundacionctic.org
URL: http://www.fundacionctic.org
Received on Friday, 27 October 2006 09:59:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:27 GMT