W3C home > Mailing lists > Public > www-tag@w3.org > October 2006

Re: New draft TAG finding - Passwords in the Clear

From: Dan Connolly <connolly@w3.org>
Date: Tue, 3 Oct 2006 13:32:56 -0500
Message-Id: <0cfeee6d1d0d603bd81140e92d015d0c@w3.org>
Cc: www-tag@w3.org
To: Vincent.Quint@inrialpes.fr

On Oct 2, 2006, at 4:02 AM, Vincent Quint wrote:
>     http://www.w3.org/2001/tag/doc/passwordsInTheClear-52

I see...

"While the W3C does maintain a security reference page to its work1, it 
has not been active in promoting security, instead allowing the market 
to drive improvements. "

I don't agree with that; regardless, I don't see what it adds; please 
take it out.

> Abstract:
>
> The purpose of this finding is to clarify the security concerns around
> using passwords on the world wide web.  Specifically, the objective is
> to point out a few conclusions the TAG has come to;
> 1) Passwords MUST NOT be transmitted in clear test.

It seems to say SHOULD NOT in the body. Why the difference?

ed.: s/test/text/

also... there's an IETF RFC on passwords in the clear that
Ed and I found a while ago... darn; I can't find it now.

-- 
Dan Connolly, W3C http://www.w3.org/People/Connolly/
Received on Tuesday, 3 October 2006 18:33:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:42 GMT