The password equivalent applies to the DSA that has stored the hashed password. But a hashed password is not equivalent to a clear password if the DSA attempts to use it in a different context (e.g. to impersonate the user on a different DSA). Of course, humans never reuse passwords or use related passwords on more than one system, so this should never be a problem :-). Dave -----Original Message----- From: x500standard-bounce@xxxxxxxxxxxxx [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Kurt Zeilenga Sent: Wednesday, September 23, 2009 12:41 PM To: x500standard@xxxxxxxxxxxxx Subject: [x500standard] Re: New draft on password policy On Sep 21, 2009, at 9:28 AM, David Chadwick wrote: > Hi Howard > > Here are our responses from today to the issues you raised below. If > an issue has not been answered, this means we have not had time to > address it yet and will do so tomorrow. Any comments you have on our > deliberations so far will be appreciated > > Howard Chu wrote: >> Erik Andersen wrote: >>> Hi Folks, >>> >>> SC6 has made the latest draft of Password Policy available. It may >>> be >>> downloaded from http://www.x500standard.com/index.php? >>> n=Ig.Extension. >>> >>> SC6 has authorised that we bring this document forward to PDAM >>> status >>> during the September 2009 meeting. >>> >>> Please provide comments in time for that meeting. >> Based on experience implementing various revisions of the LDAP >> Password Policy Draft >> http://tools.ietf.org/draft/draft-behera-ldap-password-policy/ >> and concerns raised in Kurt's newer draft >> http://tools.ietf.org/html/draft-zeilenga-ldap-passwords-00 >> I have several concerns, some related to keeping this X.500 draft >> cross-compatible with LDAP, and some related to password policy >> management in general. >> 1) relying on clients to know that they should be using an >> encrypted password, and to know which algorithm to use, seems >> impractical in the real world. IMO whether and how the password is >> encrypted should be a matter private to the DSA. > > we still allow this as an option, but we think it is more secure if > the directory never knows the user's password so is not able to > store it in audit trails or anywhere. If that's the rationale then shouldn't it apply to all password equivalents. If the protocol allows a DUA knowing only the encrypted password to gain access, the encrypted password is a password equivalent. -- Kurt ----- www.x500standard.com: The central source for information on the X.500 Directory Standard. ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.