- From: Williams, Stuart (HP Labs, Bristol) <skw@hp.com>
- Date: Thu, 8 May 2008 16:20:49 +0000
- To: David Orchard <dorchard@bea.com>, "noah_mendelsohn@us.ibm.com" <noah_mendelsohn@us.ibm.com>, David Orchard <orchard@pacificspirit.com>
- CC: "www-tag@w3.org" <www-tag@w3.org>
This may go against the grain, but I'm wondering whether we can avoid the 'informational' "must not" (as opposed the the imperative "MUST NOT"s) which reflect a level of value judgement. I think maybe writing in a plain factual style would be better (and not lead to questions about whether that's a 'must not' or a 'MUST NOT'). eg rewrite: > The Digest method is subject to dictionary attacks, and must not be used > except in circumstances where passwords are known to be of sufficient > length and complexity to thwart such attacks. as: The Digest method is subject to dictionary attacks, and is vulnerable in circumstances where passwords are known to be of insufficient length and complexity to thwart such attacks. Regards Stuart -- Hewlett-Packard Limited registered Office: Cain Road, Bracknell, Berks RG12 1HN Registered No: 690597 England > -----Original Message----- > From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] > On Behalf Of David Orchard > Sent: 08 May 2008 16:52 > To: noah_mendelsohn@us.ibm.com; David Orchard > Cc: www-tag@w3.org > Subject: RE: Updated passwordsInTheClear-52 > > > I like your edits for the most part. I just replaced the existing > versions, latest link at > http://www.w3.org/2001/tag/doc/passwordsInTheClear-52 > > I tweaked the wording somewhat to > > The Digest method is subject to dictionary attacks, and must not be used > except in circumstances where passwords are known to be of sufficient > length and complexity to thwart such attacks. The sophistication and > power of dictionary-based attacks continues to increase such that longer > and complex passwords are vulnerable to attacks, not just short > passwords using common terms. Great care must therefore be taken using > digest authentication, and it should be noted that few systems on the > Web today require sufficiently strong passwords. The Digest method is > also subject to man in the middle attacks because an intermediary can > degrade the quality of service to basic authentication. > > Cheers, > Dave > > > -----Original Message----- > > From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] > > On Behalf Of noah_mendelsohn@us.ibm.com > > Sent: Friday, May 02, 2008 3:17 PM > > To: David Orchard > > Cc: www-tag@w3.org > > Subject: Re: Updated passwordsInTheClear-52 > > > > > > Dave: I took an action yesterday to review specifically your > > edits dealing with digest authentication. I'm glad to see > > that you followed up on the suggestion that digest may be > > acceptable when suitably strong passwords are chosen. The > > quibble I have is that you specifically suggest that only > > short alphanumeric strings can be cracked, and you imply that > > longer alphanumeric strings are the answer. I think both of > > those are questionnable calls at best, and unnecessary to the > > essence of the point. > > So, I suggest the following edits to your original: > > > > <original> > > The Digest method is subject to dictionary attacks when > > passwords are short common alphanumeric strings. An attacker > > can easily compute the digest for a large set of such common > > passwords then compare against the transmitted message. This > > can be mitigated by the use of significantly longer strings, > > but this is very rare practice on the web. The Digest method > > is subject to man in the middle attacks because an > > intermediary can degrade the quality of service to basic > > authentication. > > </original> > > > > <suggested> > > The Digest method is subject to dictionary attacks, and must > > not be used except in circumstances where passwords are known > > to be of sufficient length and complexity to thwart such > > attacks. The sophistication and power of dictionary-based > > exploits continues to increase; where before such attacks > > targeted only short passwords using common terms, modern > > approaches can be effective in "cracking" certain longer or > > more complex > > passwords as well. Great care must therefore be taken if digest > > authentication is to be used, and it should be noted that few > > systems in common use on the Web today ensure the use of > > sufficiently strong passwords. The Digest method is >also< > > subject to man in the middle attacks because an intermediary > > can degrade the quality of service to be > > >no better than that of< basic authentication. > > </suggested> > > > > I'm short on time at the moment, and I suspect that a bit of > > editorial work would result in somewhat more appealing prose, > > but I think the essence of the changes is important. Anyway, > > I believe this discharges my action, and I will go into > > tracker and close it. Thank you. > > > > Noah > > > > -------------------------------------- > > Noah Mendelsohn > > IBM Corporation > > One Rogers Street > > Cambridge, MA 02142 > > 1-617-693-4036 > > -------------------------------------- > > > > > > > > > > > > > > > > > > "David Orchard" <orchard@pacificspirit.com> > > Sent by: www-tag-request@w3.org > > 05/02/2008 09:19 AM > > > > To: www-tag@w3.org > > cc: (bcc: Noah Mendelsohn/Cambridge/IBM) > > Subject: Updated passwordsInTheClear-52 > > > > > > Changes: > > > > Added comments about digest authentication and use of strong > > passwords. > > > > Previous changes > > > > Updated abstract. > > Changed SHOULD NOT send passwords in the clear to MUST NOT > > and related > > text > > Added information on Digest Authentication vulnerabilities > and warning > > Added SSL/TLS configuration warning. > > > > http://www.w3.org/2001/tag/doc/passwordsInTheClear-52 > > http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20080501.html > > > > Cheers, > > Dave > > > > > > > >
Received on Thursday, 8 May 2008 16:25:08 UTC