- From: Web Security Context Issue Tracker <dean+cgi@w3.org>
- Date: Mon, 16 Apr 2007 10:48:56 +0000 (UTC)
- To: public-wsc-wg@w3.org
ISSUE-49: trust in browser password cache needs to be better justified (pubic comment) http://www.w3.org/2006/WSC/Group/track/issues/49 Raised by: Bill Doyle On product: Note: use cases etc. >From public comments raised by: Al Gilman Alfred.S.Gilman@ieee.org http://lists.w3.org/Archives/Public/public-usable- authentication/2007Apr/0000.html trust in browser password cache needs to be better justified where it says, in 8.4 Password management (better to let browser keep it) please consider You have in effect zeroed out the hazard raised by exploits against the OS and browser. The bald assertion that it's better to minimize re-entry of passwords on repeated visits is thus not credible, because it is patently biased. Why? Presently, I let the Apple OS keychain keep passwords for me; else not. This key wallet is explained as encrypted and this OS has a good track record. If you want to represent the user's security, you have to include all threats in presenting a balanced picture of good and bad. If then you want the user to use the browser as a web-password safe, you need to make that case more convincingly than the present appeal to convenience, or avoiding spoofing risk. Don't substitute a browser security hole for a user security hole. Fix the problem.
Received on Monday, 16 April 2007 10:49:07 UTC