RE: Migrating "A Well-Known URL for Changing Passwords" to WebAppSec from WICG from Oda, Terri on 2020-05-06 (public-webappsec@w3.org from May 2020)

From: Oda, Terri <terri.oda@intel.com>
Date: Wed, 6 May 2020 00:24:58 +0000
To: Mike West <mkwst@google.com>, Theresa O'Connor <hober@apple.com>
CC: Web Application Security Working Group <public-webappsec@w3.org>, "Ricky Mondello" <rmondello@apple.com>
Message-ID: <BY5PR11MB4323ED3154F98E71FAC1F3B6F3A40@BY5PR11MB4323.namprd11.prod.outlook.com>

No objections here.

I do wonder if we should (non-normatively) mention the concern that having a well-known password change url could be used for nefarious purposes (e.g. sending a lot of emails, denial of service if there’s a rate limit on password changes, authentication attacks against security questions, etc.).  I don’t think it’s a strong objection (in general, a password change url has to be pretty easily discoverable alraedy) but it seems weird not to say anything about that concern in the document once this is being released as part of a security working group.

Terri

From: Mike West <mkwst@google.com>
Sent: Tuesday, May 05, 2020 1:47 AM
To: Theresa O'Connor <hober@apple.com>
Cc: Web Application Security Working Group <public-webappsec@w3.org>; Ricky Mondello <rmondello@apple.com>
Subject: Re: Migrating "A Well-Known URL for Changing Passwords" to WebAppSec from WICG

Hey Tess!

This seems reasonable to me, and is consistent with our conversation on the topic at TPAC last year (https://github.com/w3c/webappsec/blob/master/meetings/2019/2019-09-TPAC-minutes.md#well-knownchange-password).

I'd be comfortable adopting this specification, and publishing it as a FPWD. Let's give the working group's members a week to object. If no objections come in by May 12th, I think we could comfortably declare consensus.

-mike

On Mon, May 4, 2020 at 10:38 PM Theresa O'Connor <hober@apple.com<mailto:hober@apple.com>> wrote:
Hi all,

Currently, if the user of a password manager would like to change their
password on `example.com<http://example.com>`, pretty much all password managers can do is
load `example.com<http://example.com>` in a browser tab and hope the user can figure out how
to update their password themselves.

Ricky (CCed) and I have been working on a simple spec in WICG to improve
this situation & to help services discover where on a website users may
change their passwords by defining the `/.well-known/change-password`
well-known resource:

    A Well-Known URL for Changing Passwords
    <https://wicg.github.io/change-password-url/>

We think it's ready to migrate to the standards track somewhere, and
WebAppSec seems like a good fit.

    https://github.com/WICG/change-password-url/issues/18

Thoughts? Concerns?

Tess

Received on Wednesday, 6 May 2020 00:25:19 UTC