- From: John Keiser <jkeiser@netscape.com>
- Date: Fri, 15 Nov 2002 17:05:50 -0800
- To: Toby Inkster <tobyink@goddamn.co.uk>
- Cc: www-forms@w3.org, www-html@w3.org, www-html-editor@w3.org
- Message-ID: <3DD599EE.9060409@netscape.com>
His idea isn't so bad as all that. Many servers use MD5 to store their passwords and thus you can use it to compare passwords, which is all that is needed for simple password authentication. Why bother? Because sometimes people run small sites but do not have the wherewithal, technical knowledge, or control of the server necessary to use an https server. However, you can use JavaScript to accomplish this deed if you are interested. I run a project that does a user authentication / session management and is meant to be used in multiple environments, and doing this in JavaScript is on the todo list because this need does exist. The main point against this is, HTML is dead :) An MD5 encryption function in XPath is something worth considering, though, so that it could be used in XForms (you could use a calculate node). I think it would be a bad idea to make it an attribute on the <secret> element, however--data manipulation like that belongs in the functional language. --John Keiser Toby Inkster wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >- -----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Fri, 15 Nov 2002 23:04:18 +0100 >"Xatr0z" <xatr0z@home.nl> wrote: > >| We hope this idea will be included in the W3C standards of HTML and >| XHTML. > >I deeply hope this is a troll. > >This is a terrible idea for the following reasons: > >a) Rot13 and Base64 provide no security at all. Assuming rot13'd data is intercepted, it can be easily decoded by a 10 year old with a pen and paper. > >b) MD5 isn't even encryption -- it's a hash -- not reversible. Thus the server couldn't decode the information at the other end anyway! > >c) Why bother when we already have HTTPS? HTTPS provides security infinitely better than all the methods you have suggested. > >d) HTML is dead, there are no plans to recommend any further versions. > >- - -- >Toby A Inkster BSc ARCS >PGP: http://www.goddamn.co.uk/tobyink/node.cgi?id=12 >Web Page: http://www.goddamn.co.uk/tobyink/ >IM: AIM:inka80 ICQ:6622880 YIM:tobyink Jabber:tobyink@a-message.de > >My pants just went to high school in the Carlsbad Caverns!!! >- -----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.7 (GNU/Linux) > >iD8DBQE91XYVzr+BKGoqfTkRAjAyAJwIu30es9UR0UQdmsnFnDrYmb4zLACgkkH1 >P0W0EoceSB3wMrhGtfpmEpQ= >=yTWv >- -----END PGP SIGNATURE----- >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.7 (GNU/Linux) > >iD8DBQE91XZfzr+BKGoqfTkRAoA+AJ9Pg03tSLoI0zaxLqQr/rjcJ5viOQCgo9k2 >N8pJC2rtKpl8wKrQ49JWjsI= >=8iL+ >-----END PGP SIGNATURE----- > > >
Received on Friday, 15 November 2002 20:08:49 UTC