- From: Marc de Graauw <marc@marcdegraauw.com>
- Date: Thu, 14 Dec 2006 14:11:10 +0100
- To: <www-tag@w3.org>
- Cc: <Alastair.Green@barclayscapital.com>, <cowan@ccil.org>
Alastair Green: | I think that the prevalence of server-side authenticated | HTTPS sites for | B2C commerce is so great as to indicate that users can handle it. You are thinking about businesses setting up servers, but today's reality is a lot of individuals with high-bandwith connections have web servers. If Grandpa publishes the photos of the last family weekend on his own webserver, can he protect it with a password in the clear? Or must he necessarily choose between publishing for the entire world and installing SSL on his server (or an alternative protection)? | Given this, it would be useful to see a more precise description of | additional circumstances (beyond the "stop the bot" in the document) | where P in the C is in fact applicable. If we consider this from an economical perspective, passwords in the clear would be appropriate in cases where: - the value of the protected information is nil for a malicious intruder; - the damage of publication of the protected information is practically nil, or at least very small, for the publisher. Admittedly, most cases won't fulfil the second criterion, but some will. Marc
Received on Thursday, 14 December 2006 13:11:45 UTC