[x500standard] Re: New draft on password policy

  • From: David Chadwick <d.w.chadwick@xxxxxxxxxx>
  • To: x500standard@xxxxxxxxxxxxx
  • Date: Fri, 25 Sep 2009 12:22:56 +0100

Hi Kurt

Kurt Zeilenga wrote:


On Sep 24, 2009, at 10:59 AM, David Chadwick wrote:
In method two, the user generates the salt, so it can be whatever the user wants it to be. But this means the user must remember both the salt and the password
And because users will find this hard to do on a context-specific basis, they'll just reuse salts as they reuse passwords... and that diminishes the only purported benefit of this mechanism had, preventing DSA reuse in other contexts.
This is why we think this method has little utility and is not recommended.
Why then add it to the standard? Adding such a feature to the standard does more harm than good.
It is a by-product of defining the new password attribute type, which is a choice of clear text or encrypted. Since this attribute can be used in Compare and Bind, then we would have to explicitly disallow the encrypted variant to be submitted by the user. But this would be an odd thing to do, especially for the Compare operation. So the only way we can rule it out is in the matching rule definition, by saying that an encrypted assertion syntax always fails to match an encrypted stored attribute. We did have this text in one version of the draft, but in the final version we are releasing we have said that if the algorithm ids and parameters do not match then matching will fail. This is the more generic and proper way of doing the matching I believe 

regards

David
While I would find introduction of a well-designed password-based mechanism which had SCRAM-like features (disallow server reuse, channel bindings, etc.) less objectionable, I much rather simply have well-integrated SASL and TLS support and simply use SCRAM or the like. 

-- Kurt
-----
www.x500standard.com: The central source for information on the X.500 Directory Standard. 




--
-------------------------------------------------------------
The Israeli group Breaking the Silence has just released a collection of
testimonies by Israeli soldiers that took part in the Gaza attack last
December and January. The testimonies expose significant gaps between the official stances of the Israeli military and events on the ground. 

See  http://www.shovrimshtika.org/news_item_e.asp?id=30

The Israeli government defies Obama, and continues its settlement expansion
Israel plans to allocate $250 million over the next two years for settlements 

http://www.palestinecampaign.org/index7b.asp?m_id=1&l1_id=4&l2_id=24&Content_ID=698

whilst simultaneously continuing to bulldoze Palestinian homes

http://salsa.democracyinaction.org/o/301/t/9462/campaign.jsp?campaign_KEY=27357

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************
-----
www.x500standard.com: The central source for information on the X.500 Directory 
Standard.

Other related posts:

  1. Home
  2. x500standard
  3. Archive
  4. 09-2009