[x500standard] Re: New draft on password policy
- From: "Santosh Chokhani" <SChokhani@xxxxxxxxxxxx>
- To: <x500standard@xxxxxxxxxxxxx>
- Date: Wed, 23 Sep 2009 16:45:46 -0400
I am not sure I fully grasp what Kurt is saying in his detailed
response, but if I were architecting the solution, I would say whoever
gives you encrypted password can give you the salt. It is like IV; the
recipient gets it insecurely in-band.
> -----Original Message-----
> From: x500standard-bounce@xxxxxxxxxxxxx
> [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of David Wilson
> Sent: Wednesday, September 23, 2009 4:44 PM
> To: x500standard@xxxxxxxxxxxxx
> Subject: [x500standard] Re: New draft on password policy
>
> On Wed, 2009-09-23 at 16:17 -0400, Santosh Chokhani wrote:
> > I agree, but revealing the salt or not revealing the salt is not as
> > security relevant.
>
> which brings us back to Kurt's point about how does the
> client know what salt to use, if the server holds the hashed
> password+salt.
>
> -----
> www.x500standard.com: The central source for information on
> the X.500 Directory Standard.
>
>
-----
www.x500standard.com: The central source for information on the X.500 Directory
Standard.
Other related posts:
