Comments on: http://www.w3.org/2001/tag/doc/passwordsInTheClear-52 from SJ Kissane on 2008-06-26 (www-tag@w3.org from June 2008)

From: SJ Kissane <skissane@gmail.com>
Date: Thu, 26 Jun 2008 19:49:20 +1000
To: www-tag@w3.org
Message-ID: <82fa66380806260249u616512d2sea1d65206d31b55d@mail.gmail.com>

Hi there

(1) I think the advice section 2.1.1 "Given these weaknesses in Digest
and password selection, users may erroneously believe the transmitted
passwords are secure. Digest should only be used when the costs of
more secure systems such as SSL/TLS do not justify the benefits and
when strong passwords are encouraged or guaranteed." needs to be
strengthened.

Seriously, in today's world, given the wide availability of both
proprietary and open source SSL/TLS solutions, and the significant
industry experience in implementing them (I mean, even my cell phone
does TLS!), is there any circumstances in which Digest authentication
is justified? Should not therefore digest authentication be simply
*deprecated*?

(2) Given the discussion of SSL/TLS, I think it would be wise to
mention client certificate-based authentication, as an alternative to,
or addition to, password-based authentication.

(3) More generally, mainstream security thinking nowadays is to
encourage two factor authentication, certainly for highly sensitive
applications (e.g. financial applications). Of the various two factor
mechanisms available, SSL client side certs [e.g. combined with
smartcards] and RSA SecurID-style [not sure what the generic
vendor-neutral term for these are] solutions are the easiest to
integrate into the current web architecture. Other solutions, e.g.
biometric, are inherently more difficult to support in a web-based
approach. I think the document should recommend consideration of
two-factor authentication solutions would be relevant.

(4) Some discussion of the role that desktop single-sign on solutions
can play in the Web (i.e. Kerberos/GSSAPI/SPNEGO) would also be
useful. I notice that, at present, most deployed solutions for this
are IE/Windows/AD based -- which is not to say that other platform
combinations (e.g. Linux/Firefox/MIT Kerberos) cannot be used in this
scenario, but that maybe no vendor other than Microsoft has made this
as easy to deploy as it should be. If such an approach is a security
plus (and in Enterprise/Intranet deployments, i'd say it probably is),
I think vendors should be encouraged to investigate ways of easing its
deployment.

Cheers
Simon Kissane

Received on Monday, 30 June 2008 04:13:19 UTC