- From: Charles McCathieNevile <chaals@opera.com>
- Date: Thu, 26 Oct 2006 18:53:01 +1000
- To: "Johannes Koch" <johannes.koch@fit.fraunhofer.de>, public-wai-ert@w3.org
On Thu, 26 Oct 2006 17:42:46 +1000, Johannes Koch <johannes.koch@fit.fraunhofer.de> wrote: > > Carlos Iglesias schrieb: >> However there is some information in the "HTTP Vocabulary in RDF" that >> is clearly sensitive. My first thoughts are for the "authorization" >> property which contains the userid and password, specially in "Basic >> Authentication" that relies just on a base64 encoded string. > > Because it is the same in the HTTP protocol itself, I don't see the need > for additionally encrypting it for EARL. If you want to encrypt it in EARL you could use a hashing algorithm. I suspect that in many cases it makes more sense to use a URI that has nothig to do with the original password as an identifier. An example use case would be describing the characteristics of a system that customises itself according to who you login as (W3C has a number of these in its member area, and Opera has them in our intranet). It depends on how much protection you want - publishing an encrypted password is not quite as foolish as publishing it unecrypted, but it is not that infeasible to crack most encryption methods. Better to mint a URI that is seperate, and doesn't have any relation to the password itself. Even in an automated system you could do this - get the user ID number, and use that to generate the identifier. The only place this breaks is where the password itself is significant. And it has the benefit of working even if I change my password every 10 days (as required in some security systems). So I still think we should do nothing, but might explain this issue in informative text. cheers chaals -- Charles McCathieNevile, Opera Software: Standards Group hablo español - je parle français - jeg lærer norsk chaals@opera.com Try Opera 9 now! http://opera.com
Received on Thursday, 26 October 2006 09:22:42 UTC