Re: Objection to password role

This is a fairly damning amount of evidence. Michiel’s compilation makes it clear the working group process has ignored the advice of several members, including browser implementors, with regards to several serious concerns… not the least of which are:

• user privacy
• security vulnerabilities including XSS
• incompatibility with assistive technology

Why is this role still being considered?


> On Jun 17, 2016, at 3:10 AM, Michiel Bijl <michiel@agosto.nl> wrote:
> 
> All,
> 
> A lot has been said about the password role. Security problems, lack of good use cases, and difficulties for users. Despite all that, it seems it will still get into the final specification. I would like to quote the ‘Priority of Constituencies’ (thank you Jonathan Kingston for reminding me):
> 
>> In case of conflict, consider users over authors over implementors over specifiers over theoretical purity.
> 
> How is adding a role—where one of the use cases is preventing the use of password managers—helping the users? How does that adhere to the priority of constituencies?
> 
> To give some background to this e-mail, I’ve looked up some discussions on the list:
> 
> James Craig opposing this on potential security implications
> Léonie Watson expressing concerns about character obfuscation
> Birkir Gunnarsson stating we are reinventing the wheel (and suggesting we might be better of with an aria-secure attribute)
> Brad Hill on security risks and website identify verification
> Léonie Watson expressing concerns about AT’s announcing “custom password”
> John Foliot expressing concerns in general about the password role
> Me asking for an update on contact with the Security & Privacy IG (no reply)
> 
> Some more background links:
> 
> Original post to list by Joanie
> Issue on W3C tracker
> Security check by Microsoft (W3C tracker issue)
> Jonathan Kingston’s excellent piece on the password role
> Marco Zehe agreeing with Jonathan’s article on Twitter
> 
> 
> I’ve reread large parts of the threads, and don’t see any good reason to implement this. There don’t seem to be a lot of people in favour of this role. There are however a lot of people raising concerns. There hasn’t been a formal review by any of the security working groups as far as I can tell.
> 
> So why is this role being pushed so hard despite all the concerns raised?
> 
> —Michiel
> 

Received on Friday, 17 June 2016 16:06:11 UTC