- From: John Kemp <john.kemp@nokia.com>
- Date: Fri, 10 Oct 2008 16:43:03 -0400
- To: "ext noah_mendelsohn@us.ibm.com" <noah_mendelsohn@us.ibm.com>
- CC: elharo@metalab.unc.edu, Jonathan Rees <jar@creativecommons.org>, ext David Orchard <orchard@pacificspirit.com>, "Ray Denenberg, Library of Congress" <rden@loc.gov>, www-tag@w3.org
ext noah_mendelsohn@us.ibm.com wrote: > I think I agree with Dave Orchard here. MUST NOT is pretty strong. Let's > say I put up a Web site for my family, an example I've used before. I > want some barriers to casual access by others, but I really don't care > that much whether anyone breaks in to see the photos of my kids' birthday > party. ... > Seems fine to me. What's broken. So, SHOULD NOT. MUST NOT > should be reserved for things that are always a mistake, and I don't think > this is. OK, I can say I agree with your use-case. And I guess you wouldn't use SSL because it's too difficult to set it up on your family website... I do wonder though whether this finding is really addressed to those running their family website (except TAG members ;), rather than those who write web software for living? > > By the way, this reminds me of another hole. How many systems carefully > use https for login, but send passwords around using insecure email. How > many users store copies of those emails in unencrypted files. Yes, much > of this is bad practice, and perhaps it should be called out as such in > the finding. Still, it somewhat oversimplifies the discussion to focus a > strong MUST NOT on the exchange of passwords using HTTP, while not saying > anything at all about other common situations in which the same passwords > are transmitted or stored "in the clear". I certainly see your point, and I agree it would be good not to oversimplify. I think I can also agree that if the finding should address the use-case you describe, in addition to scenarios where we hope to impact web software then we need to allow quite a lot of leeway. - johnk > > Noah > > -------------------------------------- > Noah Mendelsohn > IBM Corporation > One Rogers Street > Cambridge, MA 02142 > 1-617-693-4036 > -------------------------------------- > > > > > > > > > John Kemp <john.kemp@nokia.com> > 10/10/2008 10:39 AM > > To: ext David Orchard <orchard@pacificspirit.com> > cc: elharo@metalab.unc.edu, "Ray Denenberg, Library of > Congress" <rden@loc.gov>, noah_mendelsohn@us.ibm.com, Jonathan Rees > <jar@creativecommons.org>, www-tag@w3.org > Subject: Re: Passwords in the clear update > > > ext David Orchard wrote: >> The question is about how "harsh" the stick should be. Saying "MUST >> NOT" when people very occasionally have legitimate reasons devalues the >> finding and the advice. > > What are these legitimate reasons? Or perhaps put another way, what do > we consider a "password" to be, if not a *secret* best shared only > between exactly two parties and used to authenticate one party to the > other? > >> I think we have to be beat the point about the >> dangers and encourage people to not use them. >> >> I think the finding currently reflects the very best that we are going >> to get in terms of such a stance, and that is the least objectionable to > >> the most number of people. > > Perhaps. But if we wave our hands in the air, will anyone hear us? > > As you say in your introduction: > > "Security on the World Wide Web is an important issue which needs to be > addressed, or mistrust of the Web will limit its growth potential." > > Password-based authentication is, for better or worse, an important part > of security on the World Wide Web. > > Cheers, > > - johnk > >> Cheers, >> Dave >> >> On Fri, Oct 10, 2008 at 6:23 AM, John Kemp <john.kemp@nokia.com >> <mailto:john.kemp@nokia.com>> wrote: >> >> >> ext Elliotte Harold wrote: >> >> Ray Denenberg, Library of Congress wrote: >> >> A blanket admonishment: "do not ever, under any >> circumstance, use passwords >> in the clear", is fairly useless, most everyone will ignore >> it. People are >> not going to stop. Better to educate people on the dangers. >> >> >> Give that blanket admonishment, and then explain the reasons >> behind it; but don't compromise the good advice because you >> think it may not be followed by all people in all circumstances. >> >> >> I wholeheartedly agree. What is the sense in continuing to >> implicitly condone these practices? Who would care? >> >> It is not that people will necessarily stop using passwords in the >> clear, but shouldn't we have a metaphorical stick to beat them with? >> >> - johnk >> >> > > >
Received on Friday, 10 October 2008 21:06:16 UTC