- From: Amir Herzberg <amir.herzberg@gmail.com>
- Date: Thu, 22 Jun 2006 09:29:58 +0300
- To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- CC: public-usable-authentication@w3.org
Mary Ellen Zurko wrote: > > > > > - Web Security Context Baseline. > > http://www.w3.org/2005/Security/wsc-charter > > > > Think of this as "Secure Metadata" and "Secure Chrome" put > > together: What should user agents display, and how can > > they do this securely? > > No surprise to anyone on this list, I like this one. I think it > provide real value, both against attacks and as a foundation to other > works. It explicitly goes after the space of what can be spoofed, > which needs more attention. Agree. > > - Form Annotations for HTTP Authentication. > > http://www.w3.org/2005/Security/htmlauth-charter > > > > Think of this as form-filler support on steroids, as > > sketched in late May on this list. > > I'm less excited about this one, but it could be that I don't have the > full vision. What irks me about this one is that passwords aren't the > only thing. In fact, they're not even always the most useful thing. > Other PII like credit card numbers, SSN, etc. are still ripe forms of > attack. Some of this subject is indeed not limited to passwords, and I think the charter should be modified to allow for other sensitive data entered by web users (typically on forms). > So what I don't get about this one is "why"? If it's "just" to provide > an excellent foundation for exploring solultions that need this > feature, then I do get that, because there's research that's having > problems with this. I'm missing why if protecting passwords is the > question, Digest isn't the answer. It may be obvious to pretty much > everyone else, so apoligies if it is. The problem is not, imho, the (bad) use of passwords on the clear. The problem is mainly phishing - people entering passwords into wrong sites - combined with dictionary attacks (people using weak passwords) and the infamous password-reuse problem (using same password for multiple sites). I think we have good solutions here and one of the missing components is browser support - for identifying these fields, for changing to a software-generated password automatically, and for the UI (which should be integrated with the secure chrome work item). Best, Amir Herzberg
Received on Thursday, 22 June 2006 06:30:31 UTC