ISSUE-49
trust in browser password cache needs to be better justified (pubic comment)
- State:
- CLOSED
- Product:
- wsc-usecases
- Raised by:
- Bill Doyle
- Opened on:
- 2007-04-16
- Description:
- From public comments
raised by: Al Gilman Alfred.S.Gilman@ieee.org
http://lists.w3.org/Archives/Public/public-usable-
authentication/2007Apr/0000.html
trust in browser password cache needs to be better justified
where it says, in 8.4 Password management
(better to let browser keep it)
please consider
You have in effect zeroed out the hazard raised by exploits against the OS and
browser. The bald assertion that it\'s better to minimize re-entry of
passwords on repeated visits is thus not credible, because it is patently
biased.
Why?
Presently, I let the Apple OS keychain keep passwords for me; else not. This
key wallet is explained as encrypted and this OS has a good track record. If
you want to represent the user\'s security, you have to include all threats in
presenting a balanced picture of good and bad. If then you want the user to
use the browser as a web-password safe, you need to make that case more
convincingly than the present appeal to convenience, or avoiding spoofing
risk. Don\'t substitute a browser security hole for a user security hole. Fix
the problem.
- Related Actions Items:
- No related actions
- Related emails:
- RE: ISSUE-49: trust in browser password cache needs to be better justified (pubic comment) (from tyler.close@hp.com on 2007-05-21)
- Re: ISSUE-49: trust in browser password cache needs to be better justified (pubic comment) (from Mary_Ellen_Zurko@notesdev.ibm.com on 2007-05-18)
- Re: ISSUE-49: trust in browser password cache needs to be better justified (pubic comment) (from Mary_Ellen_Zurko@notesdev.ibm.com on 2007-04-19)
- ISSUE-49: trust in browser password cache needs to be better justified (pubic comment) (from dean+cgi@w3.org on 2007-04-16)
Related notes:
No additional notes.
Display change log
