- From: David Orchard <dorchard@bea.com>
- Date: Wed, 9 Apr 2008 15:03:34 -0700
- To: <www-tag@w3.org>
- Message-ID: <BEBB9CBE66B372469E93FFDE3EDC493E01A4FF2B@repbex01.amer.bea.com>
The Passwords in the clear draft was updated [1]. It was sent to the Security Context working group comments list and the XML Security Specifications Maintenance Working group. It generated considerable traffic on the SC comments list. It generated no traffic on XML SS list. It was discussed in the XML SS next telcon with reference given to the SC comments list though no actions resulted. I assume that any contributions they wished to make they did so on the SC comments list. I do not not why it did not get to the HTTP bis working group. However, the comments on SC comments list could result in a significant rewrite so this is probably a non-issue. Summary of comments --------------------------------- IIUC, the bulk of the sentiment can be summarized as: 1) passwords are NEVER ok in the clear; 2) Digest is not acceptable. I am happy to do these changes, but I'd like some TAG support before starting this large a rewrite. Details of comments ---------------------------- The first comment out of the block [2] from Chris Drake said "In general - that entire document is horribly misleading. You are advocating that password exchange over non-encrypted mediums is acceptable (albeit after obscuring the password itself)." The recommendation was to say something like " Always use SSL or some equivalent security - there is no provision in web browsers that allows passwords to be exchanged securely without SSL. Not even hashing." Ed Rice then +1'd Chris. (You guess the message number).. Amir in [3] gave some positive support and then made 2 points. "it would be advisable that the draft explicitly warn against relying on digest authentication, due to dictionary attacks" and "I think you should also warn about incorrect use of SSL/TLS," with some more text. Phillip Hallam-Baker responded in length [4] but I was unable to extract concrete proposals for how the draft should change. I agree with everything he said.. In [5] he was much more specific, pushing back on any cases of sending passwords in the clear. As he says, "The same effect can be achieved through a POST form, there is no value to using a password field in this case and in fact it is an encumberance." In [6], Chris +1'd that statement, even saying he'd never heard of the idea of stopping web crawlers that way before. He also re-iterated that SSL was the only way to go to protect people. Discussion then petered out. Cheers, Dave [1] http://www.w3.org/2001/tag/doc/passwordsInTheClear-52 <http://www.w3.org/2001/tag/doc/passwordsInTheClear-52> [2] http://lists.w3.org/Archives/Public/public-usable-authentication/2008Feb /0002.html <http://lists.w3.org/Archives/Public/public-usable-authentication/2008Fe b/0002.html> [3] http://lists.w3.org/Archives/Public/public-usable-authentication/2008Feb /0004.html <http://lists.w3.org/Archives/Public/public-usable-authentication/2008Fe b/0004.html> [4] http://lists.w3.org/Archives/Public/public-usable-authentication/2008Feb /0005.html <http://lists.w3.org/Archives/Public/public-usable-authentication/2008Fe b/0005.html> [5] http://lists.w3.org/Archives/Public/public-usable-authentication/2008Feb /0006.html <http://lists.w3.org/Archives/Public/public-usable-authentication/2008Fe b/0006.html> [6] http://lists.w3.org/Archives/Public/public-usable-authentication/2008Feb /0007.html <http://lists.w3.org/Archives/Public/public-usable-authentication/2008Fe b/0007.html>
Received on Wednesday, 9 April 2008 22:04:53 UTC