- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Wed, 13 Dec 2006 18:37:46 -0600
- To: "W3 Work Group" <public-wsc-wg@w3.org>
Mary Ellen Zurko wrote: > User password storage, user password generation. Anything that's > about managing the password for the user, since it's not about > secure and usable presentation of web server security context > information. I'm going to push on this some more, because I think we're giving up on one of the few sources of reliable security context information that we actually have. "Anything that's about managing the password for the user" seems far to broad to me. Our use cases, such as the Email Lure use case, culminate in the collection of the user's username/password by the phishing site. The password collection is what we're trying to prevent. To succeed, I think we're going to have to make changes to the way passwords, and other sensitive identifiers, are entered into web pages. In addition to this pragmatic argument, I also have some definition based arguments: 1. A user password is a client authentication credential. Why is a client authentication credential not web "security context information"? If the client's authentication credentials are out of scope, why are the server's authentication credentials in scope, meaning the server's X.509 certificate? 2. We've already declared historical browsing information as in scope. Why are the user's accumulated authentication credentials not historical browsing information? Tyler
Received on Thursday, 14 December 2006 00:37:58 UTC