W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

ISSUE-49: trust in browser password cache needs to be better justified (pubic comment)

From: Web Security Context Issue Tracker <dean+cgi@w3.org>
Date: Mon, 16 Apr 2007 10:48:56 +0000 (UTC)
To: public-wsc-wg@w3.org
Message-Id: <20070416104856.8B1B313AC4@seamus.w3.org>


ISSUE-49: trust in browser password cache needs to be better justified (pubic comment)

http://www.w3.org/2006/WSC/Group/track/issues/49

Raised by: Bill Doyle
On product: Note: use cases etc.

>From public comments
raised by: Al Gilman Alfred.S.Gilman@ieee.org

http://lists.w3.org/Archives/Public/public-usable-
authentication/2007Apr/0000.html

trust in browser password cache needs to be better justified 
where it says, in 8.4 Password management
(better to let browser keep it)
please consider
You have in effect zeroed out the hazard raised by exploits against the OS and 
browser.  The bald assertion that it's better to minimize re-entry of 
passwords on repeated visits is thus not credible, because it is patently 
biased.
Why? 
Presently, I let the Apple OS keychain keep passwords for me; else not.  This 
key wallet is explained as encrypted and this OS has a good track record.  If 
you want to represent the user's security, you have to include all threats in 
presenting a balanced picture of good and bad.  If then you want the user to 
use the browser as a web-password safe, you need to make that case more 
convincingly than the present appeal to convenience, or avoiding spoofing 
risk.  Don't substitute a browser security hole for a user security hole.  Fix 
the problem.
Received on Monday, 16 April 2007 10:49:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:46 GMT