- From: Dave Kristol <dmk@research.bell-labs.com>
- Date: Wed, 2 Sep 1998 19:47:08 -0400 (EDT)
- To: http-wg@hplb.hpl.hp.com, paulle@microsoft.com
Paul Leach <paulle@microsoft.com> wrote:
> [...]
> This is the proposed replacement for the paragraph in question:
>
> If a server permits users to select their own passwords, then the threat is
> not only illicit access to documents on the server but also illicit access
> to any other resources on other systems that the user protects with the same
> password. Furthermore, in the server's password database, many of the
> passwords may also be users' passwords for other sites. The owner or
> administrator of such a system could conceivably incur liability if this
> information is not maintained in a secure fashion.
Just a (what else?) nit: the word "illicit" makes me uncomfortable.
How about "unauthorized"?
I'm also inclined to agree with Scott's remarks about "liability".
Perhaps the last sentence should read:
The owner or administrator of such a system could therefore expose
all users of the system to the risk of unauthorized access of all
those accounts if this information is not maintained in a secure
fashion.
Dave Kristol
Received on Wednesday, 2 September 1998 16:49:32 UTC