- From: Elliotte Harold <elharo@metalab.unc.edu>
- Date: Tue, 14 Oct 2008 06:34:17 -0700
- To: noah_mendelsohn@us.ibm.com
- Cc: Jonathan Rees <jar@creativecommons.org>, John Kemp <john.kemp@nokia.com>, ext David Orchard <orchard@pacificspirit.com>, "Ray Denenberg, Library of Congress" <rden@loc.gov>, www-tag@w3.org
noah_mendelsohn@us.ibm.com wrote: > It's probably time to wrap this up, since in some ways we're agreeing on > the pros and cons, and just not landing in the same place on whether the > circumstance justifies a MUST or a SHOULD. That said, I've had a number > of cases where I've happily used weak passwords, not necessarily for > pictures of my kids, but for access to experimental Web sites or other > things of transient value where it would be a nuissance but not a disaster > if casual visitors showed up. If we do loosen this to a SHOULD, then we need to be clear about one thing we haven't been in the past: user-chosen passwords must not be sent in the clear for the reasons the security group elaborated. Only passwords chosen by the server, which the user cannot change, may be sent in the clear. -- Elliotte Rusty Harold elharo@metalab.unc.edu Refactoring HTML Just Published! http://www.amazon.com/exec/obidos/ISBN=0321503635/ref=nosim/cafeaulaitA
Received on Tuesday, 14 October 2008 13:34:55 UTC