W3C home > Mailing lists > Public > www-tag@w3.org > November 2006

Re: New version of Passwords in the Clear

From: John Cowan <cowan@ccil.org>
Date: Tue, 14 Nov 2006 14:13:25 -0500
To: noah_mendelsohn@us.ibm.com
Cc: Vincent Quint <Vincent.Quint@inrialpes.fr>, www-tag@w3.org
Message-ID: <20061114191325.GM3781@ccil.org>

noah_mendelsohn@us.ibm.com scripsit:

> With that in hand, I think the admonitions to "not solicit" passwords in 
> the clear and not "transmit passwords in the clear" take on some teeth. 
> This definition allows us to do what I think John is asking, which is to 
> talk a bit more about basic vs. digest authentication, and to explain the 
> senses in which each is or isn't "in the clear", when transmitted using 
> ordinary HTTP over TCP vs HTTP over SSL or TLS.

That's part of my point, but not the most significant part, I think.
My other point (expressed in the blog posting) was that "in the clear"
and "secure" are endpoints in a security spectrum in which there are
good reasons for having more than no, and less than total, security.

John Cowan      cowan@ccil.org
        "Not to know The Smiths is not to know K.X.U."  --K.X.U.
Received on Tuesday, 14 November 2006 19:13:40 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:32:50 UTC