- From: David Orchard <orchard@pacificspirit.com>
- Date: Fri, 12 Sep 2008 16:30:51 -0700
- To: "www-tag@w3.org" <www-tag@w3.org>
- Message-ID: <2d509b1b0809121630y539d67ddx3a1cb48f2f4400b5@mail.gmail.com>
Dear TAG, I have done a number of small edits to the Passwords in the Clear finding, mostly adding material. It is available at http://www.w3.org/2001/tag/doc/passwordsInTheClear-52 http://www.w3.org/2001/tag/doc/passwordsInTheClear-52-20080912.html I feel that we have reached the point where we are simply not going to get consensus outside of the TAG on the principle guidance of the finding. Roughly speaking, there is a spectrum of positions: 1) Clear text passwords never ok, digest authentication never ok. This is exemplified by some members of WS-SC, the XHTML2 WG's response [1], and Simon Kissane [2] 2) Clear text passwords never ok, digest authentication ok. Current document status. This or #3 supported by Paul Libbrecht [3] - he only mentions digest ok, nothing about clear text passwords. 3) Clear text passwords sometimes ok (that's life), digest authentication ok. This is exemplified by the W3C web site, and thread in [4], including strong statement by Chris Drake in [5] Chris had an interesting way out in "Preventing cleartext or equivalent password transmission requires SSL or custom server/client components designed to negotiate secure sessions." Other comments - XHTML2 suggested adding section on removing contents of password fields from the cache [1]. Done. - explicitly mention client side certificates [2]. done. - two factor authentication. [2]. done. - other desktop single signon technologies, such as unix based [2]. Not done just because the document doesn't need to be exhaustive. - Update text to more clearly require that non-ssl agents should use salted hashed passwords [6]. Done - add AtomPub using ws-security username password token [6]. Done - Explicitly mention new security specifications like OpenId and OAuth that do not require username/password exchange. [6]. Done. Cheers, Dave [1] http://lists.w3.org/Archives/Public/www-tag/2008Jul/0086.html [2] http://lists.w3.org/Archives/Public/www-tag/2008Jun/0126.html [3] http://lists.w3.org/Archives/Public/www-tag/2008Jun/0127.html [4] http://lists.w3.org/Archives/Public/www-tag/2008Jun/0106.html [5] http://lists.w3.org/Archives/Public/www-tag/2008Jun/0111.html [6] http://lists.w3.org/Archives/Public/www-tag/2008Jun/0024.html
Received on Friday, 12 September 2008 23:31:32 UTC