Passwords in the clear update from David Orchard on 2008-09-12 (www-tag@w3.org from September 2008)

From: David Orchard <orchard@pacificspirit.com>
Date: Fri, 12 Sep 2008 16:30:51 -0700
To: "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <2d509b1b0809121630y539d67ddx3a1cb48f2f4400b5@mail.gmail.com>

Dear TAG,

I have done a number of small edits to the Passwords in the Clear finding,
mostly adding material.  It is available at
http://www.w3.org/2001/tag/doc/passwordsInTheClear-52
http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20080912.html

I feel that we have reached the point where we are simply not going to get
consensus outside of the TAG on the principle guidance of the finding.
Roughly speaking, there is a spectrum of positions:
1) Clear text passwords never ok, digest authentication never ok.  This is
exemplified by some members of WS-SC, the XHTML2 WG's response [1], and
Simon Kissane [2]
2) Clear text passwords never ok, digest authentication ok.  Current
document status.  This or #3 supported by Paul Libbrecht [3] - he only
mentions digest ok, nothing about clear text passwords.
3) Clear text passwords sometimes ok (that's life), digest authentication
ok.  This is exemplified by the W3C web site, and thread in [4], including
strong statement by Chris Drake in [5]

Chris had an interesting way out in "Preventing cleartext or equivalent
password transmission requires SSL or custom server/client components
designed to negotiate secure sessions."

Other comments
- XHTML2 suggested adding section on removing contents of password fields
from the cache [1].  Done.
- explicitly mention client side certificates [2]. done.
- two factor authentication. [2].  done.
- other desktop single signon technologies, such as unix based [2].  Not
done just because the document doesn't need to be exhaustive.
- Update text to more clearly require that non-ssl agents should use salted
hashed passwords [6].  Done
- add AtomPub using ws-security username password token [6].  Done
- Explicitly mention new security specifications like OpenId and OAuth that
do not require username/password exchange. [6].  Done.

Cheers,
Dave

[1] http://lists.w3.org/Archives/Public/www-tag/2008Jul/0086.html
[2] http://lists.w3.org/Archives/Public/www-tag/2008Jun/0126.html
[3] http://lists.w3.org/Archives/Public/www-tag/2008Jun/0127.html
[4] http://lists.w3.org/Archives/Public/www-tag/2008Jun/0106.html
[5] http://lists.w3.org/Archives/Public/www-tag/2008Jun/0111.html
[6] http://lists.w3.org/Archives/Public/www-tag/2008Jun/0024.html

Received on Friday, 12 September 2008 23:31:32 UTC