- From: Thomas Roessler <tlr@w3.org>
- Date: Wed, 14 Nov 2007 10:42:15 +0100
- To: public-wsc-wg@w3.org
fyi -- Thomas Roessler, W3C <tlr@w3.org> ----- Forwarded message from David Orchard <dorchard@bea.com> ----- From: David Orchard <dorchard@bea.com> To: W3C-TAG Group WG <www-tag@w3.org> Date: Tue, 13 Nov 2007 13:26:10 -0800 Subject: Updated passwords in the clear List-Id: <www-tag.w3.org> X-Spam-Level: Archived-At: <http://www.w3.org/mid/BEBB9CBE66B372469E93FFDE3EDC493E0106E6AF@repbex01.amer.bea. com> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.1.5 Based on our f2f meeting. And I did a couple of tweaks to texts that I thought read better: "Because many systems store passwords a salted hash, it is not possible in practice for both parties using such systems to compute the same initial secret value." "However, there's no obvious method by which a web browser can reliably know when the data entered is sensitive. Furthermore, in browsers which enable scripting, it may be impossible to know whether the information is transmitted in clear text. For example, many forms use onSubmit actions to start javascript programs. These programs secure the password and then transmit the password and other information. A User Agent cannot examine the javascript to ensure that the password is not transmitted in clear text. Because of these limitations, this finding provides no Good Practice advice to User Agent authors. " http://www.w3.org/2001/tag/doc/passwordsInTheClear-52 <http://www.w3.org/2001/tag/doc/passwordsInTheClear-52> http://www.w3.org/2001/tag/doc/passwordsInTheClear-52.html http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20071112.html Cheers, Dave <http://www.w3.org/2001/tag/doc/passwordsInTheClear-52> ----- End forwarded message -----
Received on Wednesday, 14 November 2007 09:42:31 UTC