[x500standard] Re: New draft on password policy
- From: "Santosh Chokhani" <SChokhani@xxxxxxxxxxxx>
- To: <x500standard@xxxxxxxxxxxxx>
- Date: Wed, 23 Sep 2009 15:34:26 -0400
Kurt,
I am not sure if I fully understand the context, but whoever gave DUA
the encrypted password can supply the salt. The salt is not a secret.
Its sole purpose is to make dictionary attack less effective by forcing
the attack to compute encrypted text for all the salts.
> -----Original Message-----
> From: x500standard-bounce@xxxxxxxxxxxxx
> [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Kurt Zeilenga
> Sent: Wednesday, September 23, 2009 3:25 PM
> To: x500standard@xxxxxxxxxxxxx
> Subject: [x500standard] Re: New draft on password policy
>
>
> On Sep 23, 2009, at 9:52 AM, Kemp, David P. wrote:
>
> > The password equivalent applies to the DSA that has stored
> the hashed
> > password. But a hashed password is not equivalent to a
> clear password
> > if the DSA attempts to use it in a different context (e.g. to
> > impersonate the user on a different DSA). Of course, humans never
> > reuse passwords or use related passwords on more than one
> system, so
> > this should never be a problem :-).
>
> How does a DUA determine which salt to use?
>
> -- Kurt
>
>
>
> > Dave
> >
> >
> > -----Original Message-----
> > From: x500standard-bounce@xxxxxxxxxxxxx
> > [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of
> Kurt Zeilenga
> > Sent: Wednesday, September 23, 2009 12:41 PM
> > To: x500standard@xxxxxxxxxxxxx
> > Subject: [x500standard] Re: New draft on password policy
> >
> >
> > On Sep 21, 2009, at 9:28 AM, David Chadwick wrote:
> >
> >> Hi Howard
> >>
> >> Here are our responses from today to the issues you raised
> below. If
> >> an issue has not been answered, this means we have not had time to
> >> address it yet and will do so tomorrow. Any comments you
> have on our
> >> deliberations so far will be appreciated
> >>
> >> Howard Chu wrote:
> >>> Erik Andersen wrote:
> >>>> Hi Folks,
> >>>>
> >>>> SC6 has made the latest draft of Password Policy
> available. It may
> >>>> be downloaded from http://www.x500standard.com/index.php?
> >>>> n=Ig.Extension.
> >>>>
> >>>> SC6 has authorised that we bring this document forward to PDAM
> >>>> status during the September 2009 meeting.
> >>>>
> >>>> Please provide comments in time for that meeting.
> >>> Based on experience implementing various revisions of the LDAP
> >>> Password Policy Draft
> >>> http://tools.ietf.org/draft/draft-behera-ldap-password-policy/
> >>> and concerns raised in Kurt's newer draft
> >>> http://tools.ietf.org/html/draft-zeilenga-ldap-passwords-00
> >>> I have several concerns, some related to keeping this X.500 draft
> >>> cross-compatible with LDAP, and some related to password policy
> >>> management in general.
> >>> 1) relying on clients to know that they should be using
> an encrypted
> >>> password, and to know which algorithm to use, seems
> impractical in
> >>> the real world. IMO whether and how the password is
> encrypted should
> >>> be a matter private to the DSA.
> >>
> >> we still allow this as an option, but we think it is more
> secure if
> >> the directory never knows the user's password so is not
> able to store
> >> it in audit trails or anywhere.
> >
> > If that's the rationale then shouldn't it apply to all password
> > equivalents. If the protocol allows a DUA knowing only the
> encrypted
> > password to gain access, the encrypted password is a password
> > equivalent.
> >
> > -- Kurt
> >
> > -----
> > www.x500standard.com: The central source for information on
> the X.500
> > Directory Standard.
> >
> > -----
> > www.x500standard.com: The central source for information on the X.
> > 500 Directory Standard.
> >
>
> -----
> www.x500standard.com: The central source for information on
> the X.500 Directory Standard.
>
>
-----
www.x500standard.com: The central source for information on the X.500 Directory
Standard.
Other related posts:
