I am not sure I fully grasp what Kurt is saying in his detailed response, but if I were architecting the solution, I would say whoever gives you encrypted password can give you the salt. It is like IV; the recipient gets it insecurely in-band. > -----Original Message----- > From: x500standard-bounce@xxxxxxxxxxxxx > [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of David Wilson > Sent: Wednesday, September 23, 2009 4:44 PM > To: x500standard@xxxxxxxxxxxxx > Subject: [x500standard] Re: New draft on password policy > > On Wed, 2009-09-23 at 16:17 -0400, Santosh Chokhani wrote: > > I agree, but revealing the salt or not revealing the salt is not as > > security relevant. > > which brings us back to Kurt's point about how does the > client know what salt to use, if the server holds the hashed > password+salt. > > ----- > www.x500standard.com: The central source for information on > the X.500 Directory Standard. > > ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.