- From: Chris Drake <christopher@pobox.com>
- Date: Fri, 27 Jun 2008 12:20:49 +1000
- To: "Doyle, Bill" <wdoyle@mitre.org>
- CC: "Dan Connolly" <connolly@w3.org>, "www-tag" <www-tag@w3.org>, public-usable-authentication@w3.org
Hi Bill, What's your cryptography background? Would you care to explain *why* you're "seconding" Dan, and how you'd propose to implement such a redesign? Kind Regards, Chris Drake Thursday, June 26, 2008, 11:42:42 PM, you wrote: DB> Chris, DB> I will second Dan's comment "Can be redesigned for the desired DB> functionality without a cleartext password transmission" DB> Just because it is easier to use cleartext transmission of passwords DB> does not mean that it is the correct way to secure the application. I DB> will also add the statement that the use of cleartext transmission of DB> passwords without other security mechanisms to enforce Information DB> Assurance (IA) provides no additional protection to the application. An DB> application design with no IA can be OK if the user has no risk, one DB> example of this is where data is considered public. DB> Kind Regards DB> Bill Doyle DB> wdoyle@mitre.org DB> -----Original Message----- DB> From: public-usable-authentication-request@w3.org DB> [mailto:public-usable-authentication-request@w3.org] On Behalf Of Chris DB> Drake DB> Sent: Wednesday, June 25, 2008 10:12 PM DB> To: Dan Connolly DB> Cc: www-tag; public-usable-authentication@w3.org DB> Subject: Re: delegation and passwordsInTheClear-52 DB> Hi Dan, DB> It is not trivially possible to redesign functionality to protect DB> passwords. DB> That statement both wrong and misleading: DC>> "Every scenario that involves possibly transmitting passwords in DB> the DC>> clear can be redesigned for the desired functionality without a DC>> cleartext password transmission." DB> You can't use hashing because of dictionary attack risks, so the only DB> possible "redesign" requires some kind of two-way secure session DB> initiation to be negotiated. That's obviously never possible in DB> "Every scenario". DB> A more accurate statement would be:- DB> "Preventing cleartext or equivalent password transmission requires DB> SSL or custom server/client components designed to negotiate secure DB> sessions." DB> Kind Regards, DB> Chris Drake DB> Thursday, June 26, 2008, 12:30:20 AM, you wrote: DC>> I wonder about this: DC>> "Every scenario that involves possibly transmitting passwords in DB> the DC>> clear can be redesigned for the desired functionality without a DC>> cleartext password transmission." DC>> -- DC>> http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20080602 DC>> W3C has tried to stamp out cleartext passwords on its own DC>> web site a few times, but one of the main blockers, aside from DC>> buggy support for digest in various bits of software, is DB> delegation. DC>> W3C has a few forms-based services that use DC>> cleartext passwords for delegation; e.g. our XSLT service DC>> http://www.w3.org/2005/08/online_xslt/#authinfo DC>> If you want to use the service on password-protected pages, DC>> you just put the credentials in a form and it uses them. DC>> The main use case is password-protected pages inside w3.org DC>> (though I'm not sure that's technically enforced) so it's DC>> not really all *that* much less secure than sending credentials DC>> to get the actual password-protected page. Still, yes, DC>> it makes many of us uncomfortable. DC>> How can these delegated services be "redesigned for the desired DC>> functionality without a cleartext password transmission." DC>> The W3C systems team has been looking at this for several DC>> years without finding a solution.
Received on Friday, 27 June 2008 02:21:52 UTC