[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [office] Passwords
That's a good idea, though I note that since this spec was written some new attacks on SHA1 have appeared. Is it possible to say "use xmlenc _except_ we change SHA256 from RECOMMENDED to REQUIRED"? It seems appropriate to "require" at least one hash which, at the time of writing, "has no known attacks". Good idea? Bad idea? Best, Daniel. On Tue, 2006-28-11 at 10:32 +0000, Florian Reuter wrote: > Hi, > > I would suggest using the http://www.w3.org/TR/xmlenc-core/ specification as a basis. > > It specifies the following digest algorithms. > > <cite> > Message Digest > > 1. REQUIRED SHA1 > http://www.w3.org/2000/09/xmldsig#sha1 > 2. RECOMMENDED SHA256 > http://www.w3.org/2001/04/xmlenc#sha256 > 3. OPTIONAL SHA512 > http://www.w3.org/2001/04/xmlenc#sha512 > 4. OPTIONAL RIPEMD-160 > http://www.w3.org/2001/04/xmlenc#ripemd160 > </cite> > > > ~Florian > > > > > >>> Patrick Durusau <patrick@durusau.net> 11/28/06 1:51 AM >>> > Greetings, > > I keep running into: > > "To avoid saving the password directly into the XML file, only a hash > value of the password is stored." > > But the value, not surprisingly, is "string." > > Shouldn't encryption of the password be considered as application specific? > > Thus: > > Passwords should not be saved without encryption in the XML file. The > encryption to be used is application specific. > > Which raises the interesting issue of how one indicates what > hash/encryption function was used? > > I am assuming that simply because one ODF comformant application uses a > particular hash function, there is no gurantee that another will use the > same function. > > Hope everyone is having a great day! > > Patrick > -- "I AM in shape. Round IS a shape."
This is a digitally signed message part
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]