Comments on Passwords in the Clear from noah_mendelsohn@us.ibm.com on 2006-10-07 (www-tag@w3.org from October 2006)

From: <noah_mendelsohn@us.ibm.com>
Date: Fri, 6 Oct 2006 23:05:27 -0400
To: "Ed Rice" <ed.rice@hp.com>
Cc: www-tag@w3.org
Message-ID: <OFF6AE1753.5F2892D1-ON852571FC.00783ABA-85257200.0010FCD0@lotus.com>

Ed:

Here are some editorial suggestions on the draft "passwords in the clear" 
finding:

---------

The purpose of this finding is to clarify the security concerns around 
using passwords on the world wide web.  Specifically, the objective is to 
point out a few conclusions the TAG has come to:  <- should be a colon not 
a semicolon
1) Passwords MUST NOT be transmitted in clear test.  <--- typo (test vs. 
text)
2) Passwords MUST NOT be displayed on the html form in clear test.   <--- 
typo (test vs. text)
----------------------------------

miss-trust -> mistrust

----------------------------------

This paper will talk -> This paper talks (suggest use of present tense)

---------------------------------

as it relates to the world wide web.  -> capitalize World Wide Web

--------------------------------

When the passwords are transmitted in clear text, the password is 
vulnerable in many ways;   -> Which passwords?  Suggest deleting the word 
"the". 

--------------------------------

transactions are related to Fraud.    -> suggest you don't capitalize 
"fraud"

--------------------------------

'shared secret (a password)  -> missing close quote

-------------------------------

without trasmittion  -> spelling

-------------------------------

This verification method can be done without trasmittion of the password 
in clear text which is intended to address the HTTP 1.0 Basic method of 
authentication.    -> Ambiguous antecdent of "which is intended to 
address".  In other words, the word "which" can be parsed as referring to 
either "verification method can be done", the "transmitton" [sic], or the 
"clear text".  In fact, I'm not quite sure what you're trying to convey. 
Suggest you reword the sentence.

-----------------------------

The Digest method assumes that the username and password are prearranged 
however which may be a limitation to many applications. -> I think this 
reads a bit clumsily, but suggest at very least commas are needed around 
"however".  You might reword: 

"The requirement to prearrange usernames and passwords may complicate or 
prevent the use of Digest Authentication for certain applications."


I hope these suggestions are helpful.

Noah

--------------------------------------
Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------

Received on Saturday, 7 October 2006 03:05:40 UTC