W3C home > Mailing lists > Public > www-tag@w3.org > December 2006

RE: Passwords in the Clear

From: <Alastair.Green@barclayscapital.com>
Date: Thu, 14 Dec 2006 16:07:29 -0000
Message-ID: <B60EE4C03F4E504FBF53C17A152CE02207FE3C66@LDNPCMEU301VEUA.INTRANET.BARCAPINT.COM>
To: <cowan@ccil.org>
Cc: <www-tag@w3.org>, <alastair.green@choreology.com>

The security of data in motion derived from SSL is what allows you to
use Basic Auth (transmit a password "in the clear"). So, if you combine
the two, then we get encrypted transmission of a shared secret that
enables both sides to establish a reasonable level of trust. That was
the point of mentioning protecting data in transmission: we need to
protect the password.

What you do with the data thereafter is your choice, tho' I doubt you're
going to flip back to HTTP-no-S to move the credit card details. You've
now got a trusted, encrypted pipe. And only one side needed a
certificate. It's not perfect, but it works. 

It works so well that Digest Auth never got off the ground, as far as I
can tell. 

Which, I guess, is another way of saying that I agree with you that
Basic Auth in the clear can be just fine so long as the value of the
data and of the interaction is very low, and I think it would be fine to
say that with a "caveat emptor" in something like the TAG document.

There is no harm in encouraging people to consider the trade-offs (do
the threat analysis), and I agree with your emphasis on that. I am not a
fan of security technology for security technology's sake. However, in
my view the central answer to the question "shoud passwords go in the
clear" is "No". There are outlier cases, but they are not the place to
start.

Alastair

-----Original Message-----
From: John Cowan [mailto:cowan@ccil.org] 
Sent: 14 December 2006 15:42
To: Green, Alastair: IT (LDN)
Cc: www-tag@w3.org; alastair.green@choreology.com
Subject: Re: Passwords in the Clear


Alastair.Green@barclayscapital.com scripsit:

> Certificates don't give you high protection from fraudulent endpoints,

> I agree, but they give some, and they do give you protection from 
> observation of data in motion.

Protecting data in transmission is a very different point from
protecting passwords.  If you need the former, you might as well have
the latter. I understand the issue here to be one in which secure data
is not a requirement but secure access supposedly is.

-- 
Is a chair finely made tragic or comic? Is the          John Cowan
portrait of Mona Lisa good if I desire to see           cowan@ccil.org
it? Is the bust of Sir Philip Crampton lyrical,
http://ccil.org/~cowan
epical or dramatic?  If a man hacking in fury
at a block of wood make there an image of a cow,
is that image a work of art? If not, why not?               --Stephen
Dedalus
------------------------------------------------------------------------
For more information about Barclays Capital, please visit our web site at http://www.barcap.com.

Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message.  Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed.  Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group.  Replies to this email may be monitored by the Barclays Group for operational or business reasons.
------------------------------------------------------------------------
Received on Thursday, 14 December 2006 16:07:49 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:32:50 UTC