Re[2]: Draft W3C TAG Finding "Passwords in the Clear" available for review from Chris Drake on 2008-02-15 (public-usable-authentication@w3.org from February 2008)

From: Chris Drake <christopher@pobox.com>
Date: Fri, 15 Feb 2008 17:23:37 +1000
To: "James A. Donald" <jamesd@echeque.com>
CC: "Hallam-Baker, Phillip" <pbaker@verisign.com>, David Orchard <dorchard@bea.com>, <public-usable-authentication@w3.org>
Message-ID: <333063506.20080215172337@pobox.com>

Hi James,

I actually fired of my reply too fast; I "missed" that Phillip was
alluding to IdP's (I incorrectly assumed he was suggesting that it's
"OK" to give passwords to more than 1 site).

JAD> I have been giving some thought to the problem of making SRP
JAD> usable to your mother in law...

Is this hard?  Would this not solve it?:-

HTTP/1.1 401 Authorization Required
WWW-Authenticate: RFC2945 realm="Authorized access only."

It would seem that convincing Microsoft, Apache, Firefox, Opera,
Safari, ... is the hard part.  The easy bit is more or less "done"?

So anyhow - the usual problem remains - we have elegant solutions to
the problem, but the vendors are unlikely to come to the party (ZKP's
decades old, and SRP's 9 already) - so we're stuck with the next best
thing: always use SSL, and maintain an active prejudice against places
that don't accept OpenID.

... and I'm not even going to *start* on the politics and lack of a
.com DNSSEC root key :-)

Kind Regards,
Chris Drake

Friday, February 15, 2008, 2:27:00 PM, you wrote:

JAD>      --
JAD> Chris Drake wrote:
 >> Well - technically - you've made a mistake already.
 >> If passwords belong to users, then there should never
 >> be any way for users to give passwords to sites.  This
 >> comes back to the hashing problem again, with the
 >> added annoyance of requiring universal user-agent
 >> support for something secure as well.

JAD> I assume you are talking about SRP or something similar.

JAD> We all know that everyone should do passwords using SRP
JAD> - at least, all of us that know what SRP is.  I have
JAD> been giving some thought to the problem of making SRP
JAD> usable to your mother in law, and the guy who was given
JAD> the job of bringing up the web site because everyone
JAD> else was too busy, and it is no so simple as one might
JAD> think.  Has to be done, of course, and eventually will
JAD> be done, just saying it is a hard row to hoe.

Received on Friday, 15 February 2008 07:24:33 UTC