- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Wed, 21 Jun 2006 14:26:52 -0400
- To: Thomas Roessler <tlr@w3.org>
- Cc: public-usable-authentication@w3.org
- Message-ID: <OF1B7CCA42.5602DC8F-ON85257194.006454A1-85257194.00655E03@notesdev.ibm.com>
> > - Web Security Context Baseline. > http://www.w3.org/2005/Security/wsc-charter > > Think of this as "Secure Metadata" and "Secure Chrome" put > together: What should user agents display, and how can > they do this securely? No surprise to anyone on this list, I like this one. I think it provide real value, both against attacks and as a foundation to other works. It explicitly goes after the space of what can be spoofed, which needs more attention. > - Form Annotations for HTTP Authentication. > http://www.w3.org/2005/Security/htmlauth-charter > > Think of this as form-filler support on steroids, as > sketched in late May on this list. I'm less excited about this one, but it could be that I don't have the full vision. What irks me about this one is that passwords aren't the only thing. In fact, they're not even always the most useful thing. Other PII like credit card numbers, SSN, etc. are still ripe forms of attack. So what I don't get about this one is "why"? If it's "just" to provide an excellent foundation for exploring solultions that need this feature, then I do get that, because there's research that's having problems with this. I'm missing why if protecting passwords is the question, Digest isn't the answer. It may be obvious to pretty much everyone else, so apoligies if it is. Mez Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) IBM Lotus/WPLC Security Strategy and Architecture
Received on Wednesday, 21 June 2006 18:27:08 UTC