Re: Proposed Final Review of W3C TAG Finding "Passwords in the Clear" from Ian Hickson on 2008-06-25 (public-html@w3.org from June 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 25 Jun 2008 00:18:52 +0000 (UTC)
To: David Orchard <orchard@pacificspirit.com>
Cc: public-html@w3.org
Message-ID: <Pine.LNX.4.62.0806250014500.13974@hixie.dreamhostps.com>

On Tue, 24 Jun 2008, David Orchard wrote:
> 
> On behalf of the W3C TAG, I would like to solicit a final review of the 
> Draft TAG finding "Passwords in the Clear" [1].  Comments on this draft 
> should be posted to www-tag@w3.org and are appreciated.  I'd like to 
> suggest July 18th 2008 as a rough timeframe for comments.
> 
> [1] http://www.w3.org/2001/tag/doc/passwordsInTheClear-52

The spirit of the document seems very much in the right place. It isn't 
clear what is meant by "A client or browser MUST NOT transmit passwords in 
clear text.", however. For example, every connection to a member page of 
the W3C site requires sending a plain text password. If a browser stopped 
sending passwords in plain text, it would not be usable by W3C members.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 25 June 2008 00:21:41 UTC