Hi Kurt Kurt Zeilenga wrote:
On Sep 24, 2009, at 10:59 AM, David Chadwick wrote:In method two, the user generates the salt, so it can be whatever the user wants it to be. But this means the user must remember both the salt and the passwordAnd because users will find this hard to do on a context-specific basis, they'll just reuse salts as they reuse passwords... and that diminishes the only purported benefit of this mechanism had, preventing DSA reuse in other contexts.This is why we think this method has little utility and is not recommended.Why then add it to the standard? Adding such a feature to the standard does more harm than good.
It is a by-product of defining the new password attribute type, which is a choice of clear text or encrypted. Since this attribute can be used in Compare and Bind, then we would have to explicitly disallow the encrypted variant to be submitted by the user. But this would be an odd thing to do, especially for the Compare operation. So the only way we can rule it out is in the matching rule definition, by saying that an encrypted assertion syntax always fails to match an encrypted stored attribute. We did have this text in one version of the draft, but in the final version we are releasing we have said that if the algorithm ids and parameters do not match then matching will fail. This is the more generic and proper way of doing the matching I believe
regards David
While I would find introduction of a well-designed password-based mechanism which had SCRAM-like features (disallow server reuse, channel bindings, etc.) less objectionable, I much rather simply have well-integrated SASL and TLS support and simply use SCRAM or the like.-- Kurt -----www.x500standard.com: The central source for information on the X.500 Directory Standard.
-- ------------------------------------------------------------- The Israeli group Breaking the Silence has just released a collection of testimonies by Israeli soldiers that took part in the Gaza attack lastDecember and January. The testimonies expose significant gaps between the official stances of the Israeli military and events on the ground.
See http://www.shovrimshtika.org/news_item_e.asp?id=30 The Israeli government defies Obama, and continues its settlement expansionIsrael plans to allocate $250 million over the next two years for settlements
http://www.palestinecampaign.org/index7b.asp?m_id=1&l1_id=4&l2_id=24&Content_ID=698 whilst simultaneously continuing to bulldoze Palestinian homes http://salsa.democracyinaction.org/o/301/t/9462/campaign.jsp?campaign_KEY=27357 ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@xxxxxxxxxx Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 ***************************************************************** ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.