[x500standard] Re: New draft on password policy
- From: Kurt Zeilenga <Kurt.Zeilenga@xxxxxxxxx>
- To: x500standard@xxxxxxxxxxxxx
- Date: Thu, 24 Sep 2009 12:27:07 -0700
On Sep 24, 2009, at 10:59 AM, David Chadwick wrote:
In method two, the user generates the salt, so it can be whatever
the user wants it to be. But this means the user must remember both
the salt and the password
And because users will find this hard to do on a context-specific
basis, they'll just reuse salts as they reuse passwords... and that
diminishes the only purported benefit of this mechanism had,
preventing DSA reuse in other contexts.
This is why we think this method has little utility and is not
recommended.
Why then add it to the standard? Adding such a feature to the
standard does more harm than good.
While I would find introduction of a well-designed password-based
mechanism which had SCRAM-like features (disallow server reuse,
channel bindings, etc.) less objectionable, I much rather simply have
well-integrated SASL and TLS support and simply use SCRAM or the like.
-- Kurt
-----
www.x500standard.com: The central source for information on the X.500 Directory
Standard.
Other related posts:
