[passwordsInTheClear-52] Comments from XHTML 2 Working Group from Shane McCarron on 2008-07-18 (public-xhtml2@w3.org from July 2008)

From: Shane McCarron <shane@aptest.com>
Date: Fri, 18 Jul 2008 10:33:18 -0500
To: www-tag@w3.org
CC: XHTML WG <public-xhtml2@w3.org>
Message-ID: <4880B7BE.5050602@aptest.com>

The XHTML 2 Working Group was asked to review the editors draft of the 
tag finding on passwords in the clear [1], and that task fell to me.  
Below are the working group comments on this document.  Thanks for 
asking us to perform this review. In general the group feels that 
encouraging web site creators to secure information is a very good thing 
for the W3C to be doing.


We have a few specific comments:


1. The working group agrees with another reviewer that the section 2.1.1 
on Digest Authentication should be deprecated.  SSL/TLS is readily 
available, and even self-created security certificates are better than 
the shared-secret architecture of Digests.


2. In section 2.1.2 paragraph 2, change "must" to "MUST".  The working 
group agrees that web site developers MUST use SSL/TLS when sending 
passwords and other sensitive information between the user agent and the 
server.


3. In section 3 you discuss passwords displayed in Browser.  HTML 4.01 
[2], and by inference XHTML 1.0, 1.1, Basic 1.0, Basic 1.1, etc. mandate 
that input fields of type "password" render the text in such a way as to 
hide the characters.  We understand why your good practice in this 
section is a SHOULD, but wanted to point out that if a field is of type 
password the SHOULD is somewhat academic.  If a designer decides that it 
needs to be possible to reveal the contents of a password field, they 
will need to change the field type to "text" or use some sort of 
javascript to reveal the contents...  And changing the type to "text" 
would fly in the face of the idea of password security within the user 
agent.


The group also feels that it might be reasonable to add to this section 
that User Agents SHOULD remove the contents of the password field from 
their internal cache about the page after the form is submitted.  This 
would further secure the password itself, and of course logically 
require that the password be re-entered by a user before the page could 
be re-submitted after pressing the browser's back button.


If you have any questions about these comments, do not hesitate to 
contact me.

[1] http://www.w3.org/2001/tag/doc/passwordsInTheClear-52
[2] http://www.w3.org/TR/html401/interact/forms.html#h-17.4.1

-- 
Shane P. McCarron                          Phone: +1 763 786-8160 x120
Managing Director                            Fax: +1 763 786-8180
ApTest Minnesota                            Inet: shane@aptest.com

Received on Friday, 18 July 2008 15:33:57 UTC