- From: David Orchard <dorchard@bea.com>
- Date: Tue, 13 Nov 2007 13:26:10 -0800
- To: "W3C-TAG Group WG" <www-tag@w3.org>
- Message-ID: <BEBB9CBE66B372469E93FFDE3EDC493E0106E6AF@repbex01.amer.bea.com>
Based on our f2f meeting. And I did a couple of tweaks to texts that I thought read better: "Because many systems store passwords a salted hash, it is not possible in practice for both parties using such systems to compute the same initial secret value." "However, there's no obvious method by which a web browser can reliably know when the data entered is sensitive. Furthermore, in browsers which enable scripting, it may be impossible to know whether the information is transmitted in clear text. For example, many forms use onSubmit actions to start javascript programs. These programs secure the password and then transmit the password and other information. A User Agent cannot examine the javascript to ensure that the password is not transmitted in clear text. Because of these limitations, this finding provides no Good Practice advice to User Agent authors. " http://www.w3.org/2001/tag/doc/passwordsInTheClear-52 <http://www.w3.org/2001/tag/doc/passwordsInTheClear-52> http://www.w3.org/2001/tag/doc/passwordsInTheClear-52.html http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20071112.html Cheers, Dave <http://www.w3.org/2001/tag/doc/passwordsInTheClear-52>
Received on Tuesday, 13 November 2007 21:26:39 UTC