- From: Hallam-Baker, Phillip <pbaker@verisign.com>
- Date: Thu, 14 Feb 2008 11:40:41 -0800
- To: "Chris Drake" <christopher@pobox.com>
- Cc: "David Orchard" <dorchard@bea.com>, <public-usable-authentication@w3.org>
From: Chris Drake [mailto:christopher@pobox.com] >> 4) Passwords belong to users, users should decide who manages them. >Good point >> It follows therefore that any site which requires a password to be >> supplied ... >Well - technically - you've made a mistake already. If passwords belong to users, then there should >never be any way for users to give passwords to sites. This comes back to the hashing problem again, >with the added annoyance of requiring universal user-agent support for something secure as well. Well that is the risk you face when you have an idea in mid-message and promote it to a heading. But your argument does not quite work. My money belongs to me but I keep it in the bank. It follows that it is reasonable for me to give my password to an identity authority acting on my behalf. I should not need to give my password to the nytimes just to read an article.
Received on Thursday, 14 February 2008 19:41:55 UTC