W3C home > Mailing lists > Public > www-tag@w3.org > October 2006

RE: New draft TAG finding - Passwords in the Clear

From: Paul Cotton <Paul.Cotton@microsoft.com>
Date: Tue, 3 Oct 2006 13:18:20 -0700
To: "Rice, Ed (ProCurve)" <ed.rice@hp.com>, "Vincent.Quint@inrialpes.fr" <Vincent.Quint@inrialpes.fr>, "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <4D66CCFC0B64BA4BBD79D55F6EBC225719C53339E7@NA-EXMSG-C103.redmond.corp.microsoft.com>

> I had assumed that since SOAP uses HTTP and HTTPS that the relationship was implied.

Using HTTPS for SOAP messages is obviously an alternative.  But using this form of point to point security makes it impossible to support "SOAP intermediaries".  WS-Security provides "message level security" that works more completely with the SOAP model.

For a good description of these tradeoffs you can review the WS-I "Security Challenges, Threats and Countermeasures Version 1.0" document [1] which describes how to secure web services:

"The document is aimed at Web Services architects and developers who are examining the security aspects of the Web Services they are designing/developing."

/paulc

[1] http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (613) 225-5445 Fax: (425) 936-7329
mailto:Paul.Cotton@microsoft.com





> -----Original Message-----
> From: Rice, Ed (ProCurve) [mailto:ed.rice@hp.com]
> Sent: October 3, 2006 3:55 PM
> To: Paul Cotton; Vincent.Quint@inrialpes.fr; www-tag@w3.org
> Subject: RE: New draft TAG finding - Passwords in the Clear
>
> I had assumed that since SOAP uses HTTP and HTTPS that the relationship
> was implied.  Probably best to call it out, thanks.  I'm preparing another
> draft and I'll include SOAP messaging and the reference in the new draft.
> -Ed
>
>
> -----Original Message-----
> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf Of
> Paul Cotton
> Sent: Tuesday, October 03, 2006 12:35 PM
> To: Vincent.Quint@inrialpes.fr; www-tag@w3.org
> Subject: RE: New draft TAG finding - Passwords in the Clear
>
>
> Given the work of the W3C on web services, can Section 2.1 [1] point at
> the use of WS-Security [3] for securing SOAP messages including any
> passwords that might be supplied in clear text?
>
> /paulc
>
> [1] http://www.w3.org/2001/tag/doc/passwordsInTheClear-52#Secure%20Trasfer
> [1] http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-
> os-SOAPMessageSecurity.pdf
>
> Paul Cotton, Microsoft Canada
> 17 Eleanor Drive, Ottawa, Ontario K2E 6A3
> Tel: (613) 225-5445 Fax: (425) 936-7329
> mailto:Paul.Cotton@microsoft.com
>
>
>
>
>
> > -----Original Message-----
> > From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf
> > Of Vincent Quint
> > Sent: October 2, 2006 5:03 AM
> > To: www-tag@w3.org
> > Cc: Vincent.Quint@inrialpes.fr
> > Subject: New draft TAG finding - Passwords in the Clear
> >
> >
> > All,
> >
> > A new draft TAG finding is available for review and comments:
> >
> >     Passwords in the Clear
> >
> >     http://www.w3.org/2001/tag/doc/passwordsInTheClear-52
> >
> > Abstract:
> >
> > The purpose of this finding is to clarify the security concerns around
> > using passwords on the world wide web.  Specifically, the objective is
> > to point out a few conclusions the TAG has come to;
> > 1) Passwords MUST NOT be transmitted in clear test.
> > 2) Passwords MUST NOT be displayed on the html form in clear test.
> > The purpose of this paper to explain these findings and give direction
> > around possible alternatives.
> >
> > This will be discussed at the upcoming f2f meeting this week.
> > Comments on www-tag@w3.org are welcome.
> >
> > Vincent.
> > --------------
> > Vincent Quint                       INRIA Rhône-Alpes
> > INRIA                               ZIRST
> > e-mail: Vincent.Quint@inria.fr      655 avenue de l'Europe
> > Tel.: +33 4 76 61 53 62             Montbonnot
> > Fax:  +33 4 76 61 52 07             38334 Saint Ismier Cedex
> >                                     France
>
Received on Tuesday, 3 October 2006 20:19:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:42 GMT