- From: Shane McCarron <shane@aptest.com>
- Date: Fri, 18 Jul 2008 10:33:18 -0500
- To: www-tag@w3.org
- CC: XHTML WG <public-xhtml2@w3.org>
The XHTML 2 Working Group was asked to review the editors draft of the tag finding on passwords in the clear [1], and that task fell to me. Below are the working group comments on this document. Thanks for asking us to perform this review. In general the group feels that encouraging web site creators to secure information is a very good thing for the W3C to be doing. We have a few specific comments: 1. The working group agrees with another reviewer that the section 2.1.1 on Digest Authentication should be deprecated. SSL/TLS is readily available, and even self-created security certificates are better than the shared-secret architecture of Digests. 2. In section 2.1.2 paragraph 2, change "must" to "MUST". The working group agrees that web site developers MUST use SSL/TLS when sending passwords and other sensitive information between the user agent and the server. 3. In section 3 you discuss passwords displayed in Browser. HTML 4.01 [2], and by inference XHTML 1.0, 1.1, Basic 1.0, Basic 1.1, etc. mandate that input fields of type "password" render the text in such a way as to hide the characters. We understand why your good practice in this section is a SHOULD, but wanted to point out that if a field is of type password the SHOULD is somewhat academic. If a designer decides that it needs to be possible to reveal the contents of a password field, they will need to change the field type to "text" or use some sort of javascript to reveal the contents... And changing the type to "text" would fly in the face of the idea of password security within the user agent. The group also feels that it might be reasonable to add to this section that User Agents SHOULD remove the contents of the password field from their internal cache about the page after the form is submitted. This would further secure the password itself, and of course logically require that the password be re-entered by a user before the page could be re-submitted after pressing the browser's back button. If you have any questions about these comments, do not hesitate to contact me. [1] http://www.w3.org/2001/tag/doc/passwordsInTheClear-52 [2] http://www.w3.org/TR/html401/interact/forms.html#h-17.4.1 -- Shane P. McCarron Phone: +1 763 786-8160 x120 Managing Director Fax: +1 763 786-8180 ApTest Minnesota Inet: shane@aptest.com
Received on Friday, 18 July 2008 15:33:56 UTC