W3C home > Mailing lists > Public > www-tag@w3.org > November 2006

Re: New version of Passwords in the Clear

From: John Cowan <cowan@ccil.org>
Date: Wed, 15 Nov 2006 14:38:31 -0500
To: "Rice, Ed (ProCurve)" <ed.rice@hp.com>
Cc: www-tag@w3.org
Message-ID: <20061115193831.GE17980@ccil.org>

Rice, Ed (ProCurve) scripsit:

> For example, on the news source
> outlined in the post it clear that a news story doesn't need to use
> SHTML but if the user hasn't authenticated it would be easy to redirect
> the user to a login page and I do think that login page should use
> SHTML.  Once the user has authenticated, the content may or may not
> raise to the level of secure content and if not straight HTML in fact
> would be preferable.

I assume s/HTML/HTTP/.  In any case, basic HTTP authentication has no
concept of a "login page"; every request bears the authentication headers
except the first one, which fails with a 403.  My present employer
deploys RSS feeds under basic authentication, for example, where
there would be no way to handle a login page if it did exist.

> So, what John's article doesn't say is 'yeah, I think its ok to pass
> passwords around in clear text' I believe he's saying 'only secure what
> you need to'.. I don't disagree with the latter. (John correct me if
> I've miss-read).

No, I do affirm that passing around passwords in clear text may be good
enough in particular cases, just as signs that say "UNAUTHORIZED PERSONNEL
KEEP OUT" may be enough, or easily-forced pin-tumbler locks, or any
number of other easily defeated technologies.

-- 
Some people open all the Windows;       John Cowan
wise wives welcome the spring           cowan@ccil.org
by moving the Unix.                     http://www.ccil.org/~cowan
  --ad for Unix Book Units (U.K.)
        (see http://cm.bell-labs.com/cm/cs/who/dmr/unix3image.gif)
Received on Wednesday, 15 November 2006 21:00:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:43 GMT