[x500standard] Re: New draft on password policy
- From: "Kemp, David P." <DPKemp@xxxxxxxxxxxxxx>
- To: <x500standard@xxxxxxxxxxxxx>
- Date: Wed, 23 Sep 2009 12:52:04 -0400
The password equivalent applies to the DSA that has stored the hashed
password. But a hashed password is not equivalent to a clear password
if the DSA attempts to use it in a different context (e.g. to
impersonate the user on a different DSA). Of course, humans never reuse
passwords or use related passwords on more than one system, so this
should never be a problem :-).
Dave
-----Original Message-----
From: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Kurt Zeilenga
Sent: Wednesday, September 23, 2009 12:41 PM
To: x500standard@xxxxxxxxxxxxx
Subject: [x500standard] Re: New draft on password policy
On Sep 21, 2009, at 9:28 AM, David Chadwick wrote:
> Hi Howard
>
> Here are our responses from today to the issues you raised below. If
> an issue has not been answered, this means we have not had time to
> address it yet and will do so tomorrow. Any comments you have on our
> deliberations so far will be appreciated
>
> Howard Chu wrote:
>> Erik Andersen wrote:
>>> Hi Folks,
>>>
>>> SC6 has made the latest draft of Password Policy available. It may
>>> be
>>> downloaded from http://www.x500standard.com/index.php?
>>> n=Ig.Extension.
>>>
>>> SC6 has authorised that we bring this document forward to PDAM
>>> status
>>> during the September 2009 meeting.
>>>
>>> Please provide comments in time for that meeting.
>> Based on experience implementing various revisions of the LDAP
>> Password Policy Draft
>> http://tools.ietf.org/draft/draft-behera-ldap-password-policy/
>> and concerns raised in Kurt's newer draft
>> http://tools.ietf.org/html/draft-zeilenga-ldap-passwords-00
>> I have several concerns, some related to keeping this X.500 draft
>> cross-compatible with LDAP, and some related to password policy
>> management in general.
>> 1) relying on clients to know that they should be using an
>> encrypted password, and to know which algorithm to use, seems
>> impractical in the real world. IMO whether and how the password is
>> encrypted should be a matter private to the DSA.
>
> we still allow this as an option, but we think it is more secure if
> the directory never knows the user's password so is not able to
> store it in audit trails or anywhere.
If that's the rationale then shouldn't it apply to all password
equivalents. If the protocol allows a DUA knowing only the encrypted
password to gain access, the encrypted password is a password
equivalent.
-- Kurt
-----
www.x500standard.com: The central source for information on the X.500
Directory Standard.
-----
www.x500standard.com: The central source for information on the X.500 Directory
Standard.
Other related posts:
