Summary of Responses to Passwords in the Clear from Web SC Working Group

The Passwords in the clear draft was updated [1].  It was sent to the
Security Context working group comments list and the XML Security
Specifications Maintenance Working group.   It generated considerable
traffic on the SC comments list.  It generated no traffic on XML SS
list.  It was discussed in the XML SS next telcon with reference given
to the SC comments list though no actions resulted.  I assume that any
contributions they wished to make they did so on the SC comments list.
I do not not why it did not get to the HTTP bis working group.  However,
the comments on SC comments list could result in a significant rewrite
so this is probably a non-issue.
Summary of comments
IIUC, the bulk of the sentiment can be summarized as: 1) passwords are
NEVER ok in the clear; 2) Digest is not acceptable.  
I am happy to do these changes, but I'd like some TAG support before
starting this large a rewrite.  
Details of comments
The first comment out of the block [2] from Chris Drake said "In general
- that entire document is horribly misleading.  You are advocating that
password exchange over non-encrypted mediums is acceptable (albeit after
obscuring the password itself)."
The recommendation was to say something like "  Always use SSL or some
equivalent security - there is no provision in web browsers that allows
passwords to be exchanged securely without SSL.  Not even hashing."
Ed Rice then +1'd Chris.  (You guess the message number)..
Amir in [3] gave some positive support and then made 2 points.  "it
would be advisable that the draft explicitly warn against relying on
digest authentication, due to dictionary attacks" and "I think you
should also warn about incorrect use of SSL/TLS," with some more text.  
Phillip Hallam-Baker responded in length [4] but I was unable to extract
concrete proposals for how the draft should change.  I agree with
everything he said..   In [5] he was much more specific, pushing back on
any cases of sending passwords in the clear.   As he says, "The same
effect can be achieved through a POST form, there is no value to using a
password field in this case and in fact it is an encumberance."  In [6],
Chris +1'd that statement, even saying he'd never heard of the idea of
stopping web crawlers that way before.  He also re-iterated that SSL was
the only way to go to protect people.  
Discussion then petered out. 

Received on Wednesday, 9 April 2008 22:04:53 UTC