RE: [passwordInTheClear-52]: A summary of where I think we are. from David Orchard on 2007-06-27 (www-tag@w3.org from June 2007)

From: David Orchard <dorchard@bea.com>
Date: Wed, 27 Jun 2007 09:53:44 -0700
To: "John Cowan" <cowan@ccil.org>, "Williams, Stuart (HP Labs, Bristol)" <skw@hp.com>
Cc: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, <www-tag@w3.org>, "Rice, Ed (ProCurve)" <ed.rice@hp.com>
Message-ID: <BEBB9CBE66B372469E93FFDE3EDC493E414144@repbex01.amer.bea.com>

I think it would be hard for a browser to tell the difference between
low-security and non-low-security sites.  So trying to have the browser
do something for the non-low-security sites and avoid prompting on
low-security seems impossible.  

I think that the people that don't want to be prompted and know that the
site is low security is in a very small majority of the users of the
web.  

I'd really like to still have the reliable basis to advise that UA's
detect weakly protected password transfers.

This would help any of the users of the non-low-security sites and
perhaps prompt them to raise their security.  Who knows, maybe also the
low-security sites would raise their security level to avoid the UA's
advising about their password transfers.

Cheers,
Dave

> -----Original Message-----
> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] 
> On Behalf Of John Cowan
> Sent: Wednesday, June 27, 2007 9:47 AM
> To: Williams, Stuart (HP Labs, Bristol)
> Cc: Mary Ellen Zurko; www-tag@w3.org; Rice, Ed (ProCurve)
> Subject: Re: [passwordInTheClear-52]: A summary of where I 
> think we are.
> 
> 
> Williams, Stuart (HP Labs, Bristol) scripsit:
> 
> > 1) Some regard that there are reasonable use cases for weak 
> protection 
> > of passwords - and demur against the Good Practice advice: 
> "A client 
> > or browser SHOULD NOT transmit passwords in clear text."
> 
> [snip]
> 
> > 	a desire to find a reliable basis on which to advise 
> that UA's detect 
> > weakly protected password transfers;
> 
> This combination strikes me as counterproductive.  I have 
> made decisions I consider to be rational that low-security 
> passwords suffice for certain kinds of sites: for example, 
> sites that let me subscribe or unsubscribe to mailing lists.  
> If my browser yammers every time I deal with such a site, I 
> will shut it up, get someone else to shut it up, or find a 
> less compliant but more usable browser.  I don't think I'm 
> alone in this feeling.
> 
> -- 
> All Norstrilians knew what laughter was:        John Cowan
> it was "pleasurable corrigible malfunction".    cowan@ccil.org
>         --Cordwainer Smith, Norstrilia
> 
>

Received on Wednesday, 27 June 2007 16:54:37 UTC