- From: Justin James <j_james@mindspring.com>
- Date: Wed, 25 Jun 2008 00:58:12 -0400
- To: "'Mark Baker'" <distobj@acm.org>
- Cc: <public-html@w3.org>
Mark - Great summary of my thoughts. If this is reworded to be a simple, "hey, don't send passwords in the clear unless you have a really good reason for it" piece, then I have no problem with it. :) J.Ja -----Original Message----- From: public-html-request@w3.org [mailto:public-html-request@w3.org] On Behalf Of Mark Baker Sent: Wednesday, June 25, 2008 12:43 AM To: Justin James Cc: public-html@w3.org Subject: Re: Proposed Final Review of W3C TAG Finding "Passwords in the Clear" On Wed, Jun 25, 2008 at 12:22 AM, Justin James <j_james@mindspring.com> wrote: > > So, anyone not using HTTP 403 style authentication with Digest must use SSL? > I really do not see this happening. There are far too many sites in which > the capture of a password is fairly unimportant and/or the owners of the > site cannot afford an SSL certificate. Additionally, to enforce this at the > browser level with the "MUST NOT" phrasing is unrealistic; Yup. I've mentioned this a few years ago on www-tag about another finding (or AWWW even, can't remember), but I don't think RFC 2119 terms are suitable for use by a TAG finding, especially in contexts such as a "best practice". How can something be a best practice *and* required in all situations without exception?! 8-O RFC 2119 was designed for use by those defining Internet protocols, not advice for developers. I think if the finding removed all references to those terms, it would be fine. Mark.
Received on Wednesday, 25 June 2008 04:59:17 UTC