- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Fri, 27 Jun 2008 08:08:48 -0400
- To: Dan Connolly <connolly@w3.org>
- Cc: public-usable-authentication@w3.org,www-tag <www-tag@w3.org>
- Message-ID: <OFEC35F75C.5DBC727E-ON85257475.0042A450-85257475.0042B728@LocalDomain>
I'm confused. Why can't this transmission be SSL/TLS/HTTPS protected? I'm sure I'm missing something super obvious. Mez From: Dan Connolly <connolly@w3.org> To: www-tag <www-tag@w3.org>, public-usable-authentication@w3.org Date: 06/25/2008 10:30 AM Subject: delegation and passwordsInTheClear-52 Sent by: public-usable-authentication-request@w3.org I wonder about this: "Every scenario that involves possibly transmitting passwords in the clear can be redesigned for the desired functionality without a cleartext password transmission." -- http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20080602 W3C has tried to stamp out cleartext passwords on its own web site a few times, but one of the main blockers, aside from buggy support for digest in various bits of software, is delegation. W3C has a few forms-based services that use cleartext passwords for delegation; e.g. our XSLT service http://www.w3.org/2005/08/online_xslt/#authinfo If you want to use the service on password-protected pages, you just put the credentials in a form and it uses them. The main use case is password-protected pages inside w3.org (though I'm not sure that's technically enforced) so it's not really all *that* much less secure than sending credentials to get the actual password-protected page. Still, yes, it makes many of us uncomfortable. How can these delegated services be "redesigned for the desired functionality without a cleartext password transmission." The W3C systems team has been looking at this for several years without finding a solution. -- Dan Connolly, W3C http://www.w3.org/People/Connolly/ gpg D3C2 887B 0F92 6005 C541 0875 0F91 96DE 6E52 C29E
Received on Friday, 27 June 2008 12:09:25 UTC