RE: New draft TAG finding - Passwords in the Clear from Rice, Ed (ProCurve) on 2006-10-03 (www-tag@w3.org from October 2006)

From: Rice, Ed (ProCurve) <ed.rice@hp.com>
Date: Tue, 3 Oct 2006 14:54:54 -0500
To: "Paul Cotton" <Paul.Cotton@microsoft.com>, <Vincent.Quint@inrialpes.fr>, <www-tag@w3.org>
Message-ID: <C91FD2C6C8E31445A2C55A27DFF493B377AA2D@G3W0072.americas.hpqcorp.net>

I had assumed that since SOAP uses HTTP and HTTPS that the relationship was implied.  Probably best to call it out, thanks.  I'm preparing another draft and I'll include SOAP messaging and the reference in the new draft.
-Ed
 

-----Original Message-----
From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf Of Paul Cotton
Sent: Tuesday, October 03, 2006 12:35 PM
To: Vincent.Quint@inrialpes.fr; www-tag@w3.org
Subject: RE: New draft TAG finding - Passwords in the Clear


Given the work of the W3C on web services, can Section 2.1 [1] point at the use of WS-Security [3] for securing SOAP messages including any passwords that might be supplied in clear text?

/paulc

[1] http://www.w3.org/2001/tag/doc/passwordsInTheClear-52#Secure%20Trasfer
[1] http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (613) 225-5445 Fax: (425) 936-7329
mailto:Paul.Cotton@microsoft.com





> -----Original Message-----
> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf 
> Of Vincent Quint
> Sent: October 2, 2006 5:03 AM
> To: www-tag@w3.org
> Cc: Vincent.Quint@inrialpes.fr
> Subject: New draft TAG finding - Passwords in the Clear
>
>
> All,
>
> A new draft TAG finding is available for review and comments:
>
>     Passwords in the Clear
>
>     http://www.w3.org/2001/tag/doc/passwordsInTheClear-52
>
> Abstract:
>
> The purpose of this finding is to clarify the security concerns around 
> using passwords on the world wide web.  Specifically, the objective is 
> to point out a few conclusions the TAG has come to;
> 1) Passwords MUST NOT be transmitted in clear test.
> 2) Passwords MUST NOT be displayed on the html form in clear test.
> The purpose of this paper to explain these findings and give direction 
> around possible alternatives.
>
> This will be discussed at the upcoming f2f meeting this week.
> Comments on www-tag@w3.org are welcome.
>
> Vincent.
> --------------
> Vincent Quint                       INRIA Rhône-Alpes
> INRIA                               ZIRST
> e-mail: Vincent.Quint@inria.fr      655 avenue de l'Europe
> Tel.: +33 4 76 61 53 62             Montbonnot
> Fax:  +33 4 76 61 52 07             38334 Saint Ismier Cedex
>                                     France

Received on Tuesday, 3 October 2006 19:55:11 UTC