W3C home > Mailing lists > Public > www-tag@w3.org > June 2008

Re: delegation and passwordsInTheClear-52

From: Chris Drake <christopher@pobox.com>
Date: Thu, 26 Jun 2008 12:11:44 +1000
Message-ID: <1301043622.20080626121144@pobox.com>
To: Dan Connolly <connolly@w3.org>
CC: www-tag <www-tag@w3.org>, public-usable-authentication@w3.org

Hi Dan,

It is not trivially possible to redesign functionality to protect
passwords.

That statement both wrong and misleading:
DC> "Every scenario that involves possibly transmitting passwords in the
DC> clear can be redesigned for the desired functionality without a
DC> cleartext password transmission."

You can't use hashing because of dictionary attack risks, so the only
possible "redesign" requires some kind of two-way secure session
initiation to be negotiated.  That's obviously never possible in
"Every scenario".

A more accurate statement would be:-

  "Preventing cleartext or equivalent password transmission requires
   SSL or custom server/client components designed to negotiate secure
   sessions."

Kind Regards,
Chris Drake


Thursday, June 26, 2008, 12:30:20 AM, you wrote:


DC> I wonder about this:

DC> "Every scenario that involves possibly transmitting passwords in the
DC> clear can be redesigned for the desired functionality without a
DC> cleartext password transmission."
DC>   --
DC> http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20080602

DC> W3C has tried to stamp out cleartext passwords on its own
DC> web site a few times, but one of the main blockers, aside from
DC> buggy support for digest in various bits of software, is delegation.

DC> W3C has a few forms-based services that use
DC> cleartext passwords for delegation; e.g. our XSLT service
DC>   http://www.w3.org/2005/08/online_xslt/#authinfo

DC> If you want to use the service on password-protected pages,
DC> you just put the credentials in a form and it uses them.

DC> The main use case is password-protected pages inside w3.org
DC> (though I'm not sure that's technically enforced) so it's
DC> not really all *that* much less secure than sending credentials
DC> to get the actual password-protected page. Still, yes,
DC> it makes many of us uncomfortable.

DC> How can these delegated services be "redesigned for the desired
DC> functionality without a cleartext password transmission."

DC> The W3C systems team has been looking at this for several
DC> years without finding a solution.
Received on Thursday, 26 June 2008 02:12:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:58 GMT