W3C home > Mailing lists > Public > www-forms@w3.org > November 2002

Re: Idea for securityfix in HTML

From: Goetz Bock <bock@blacknet.de>
Date: Sun, 17 Nov 2002 21:59:01 +0100
To: www-forms@w3.org
Message-ID: <20021117215901.M1167@zealot.blacknet.de>


On Sun, Nov 17 '02 at 12:35, John Keiser wrote:
> I think the bottom line here is, MD5 is not enough but we need an MD5 
> function so that we can hash the password so that it will match the one 
> in the database before doing another, more secure hash based on 
> server-supplied text, like HMAC (thanks John).
Just to tel you again: using MD5 on the password will not gain you
anything. MD5ing a password to match it against an MD5-hash stored in
the database is *WORSE* than sending the plaintext password (It's worse
because it gives a false sence of security). 
And using HMAC wont help either.

Face it. youre not going to add ANYTHING to html anymore. html has been
deploied and it's impossible to fix anything, now or in the future.

OTOH if youre going to use xhtml (or xforms) than you can just stop. All
you need it there. Pick from: ssl/tsl, xml-signatrue, xml-encryption.

They all work with XML data, are designed by people who spend some time
thinking about what they do (at last so I hope) and are way better than
any quick fix anyone will come forth within a couple of emails.

OTOH why bother about this at all. Thanks to the US, and TCPA we will
get all security/authentication we never realy wanted within the next
few years.
-- 
Goetz Bock       (c) 2002 as     blacknet.de - Munich - Germany   /"\
IT Consultant    GNU FDL 1.1    secure mobile Linux everNETting   \ /
                                                                   X
 ASCII Ribbon Campaign against HTML email & microsoft attachments / \
Received on Sunday, 17 November 2002 15:59:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 10 March 2012 06:21:54 GMT