Re: Comments on: http://www.w3.org/2001/tag/doc/passwordsInTheClear-52

Le 26-juin-08 à 11:49, SJ Kissane a écrit :

> Seriously, in today's world, given the wide availability of both
> proprietary and open source SSL/TLS solutions, and the significant
> industry experience in implementing them (I mean, even my cell phone
> does TLS!), is there any circumstances in which Digest authentication
> is justified? Should not therefore digest authentication be simply
> *deprecated*?

By no means.

There's one single reason why TLS/SSL has failed to be convincing to  
all users: self-signed-certificates are considered bad and announced  
as such.

The wrong thing is that: identity and encryption have been put in the  
same basket so much that no user knows that SSL with, e.g., banks, is  
safe if you actually considered the certficate's identity name (that  
one is "guaranteed") and that it is the best anti-phishing way.  
Instead, people just speak about "secure" communication meaning...  
encrypted.
And then self-signed certificates are considered bad practice.

So the single reason of digest: no-annoyance no-password-in-the-clear.
(since self-signed means annoyance).

paul

Received on Monday, 30 June 2008 08:16:09 UTC