[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx] Issue 32: Deriving keys from passwords
Hal, I agree that given the spec allows sp:RequireDerivedKeys inside Username Token assertions, the text you cite at the end of section 5.3.1 is contradictary. I propose we remove said text. Cheers Gudge > -----Original Message----- > From: Marc Goodner [mailto:mgoodner@microsoft.com] > Sent: 14 February 2006 13:45 > To: Hal Lockhart; ws-sx@lists.oasis-open.org > Subject: [ws-sx] Issue 32: Deriving keys from passwords > > This is now logged as issue 32. > > Marc Goodner > Technical Diplomat > Microsoft Corporation > Tel: (425) 703-1903 > Blog: http://spaces.msn.com/mrgoodner/ > > > -----Original Message----- > From: Hal Lockhart [mailto:hlockhar@bea.com] > Sent: Tuesday, February 14, 2006 1:43 PM > To: ws-sx@lists.oasis-open.org > Cc: Marc Goodner > Subject: [ws-sx] NEW Issue: Deriving keys from passwords > > PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL > THE ISSUE IS ASSIGNED A NUMBER. > > The issues coordinators will notify the list when that has occurred. > > > > Protocol: ws-sp > http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.ph > p/16565/ws > -securitypolicy-1.2-spec-ed-01-r03-diff.doc > > > > > Artifact: schema / policy > > > > Type: > > [design] > > > > Title: > > WS-SP should permit Policy to specify the use of keys derived from > passwords > > > > Description: > > At the end of section 5.3.1 it says: > > ---- > Note: While Username tokens could be used cryptographically, > such usage > is discouraged in general because of the relatively low entropy > typically associated with passwords. This specification does > not define > a cryptographic binding for the Username token. A new token assertion > could be defined to allow for cryptographic binding. > ---- > > I believe that WS-SP should enable all the functionality > defined in the > referenced specs. Specifically, WSS 1.1 defines an algorithm for > deriving keys from passwords. I think WS-SP should support this and > allow organizations decide for themselves if they wish to use them or > not. There are already warnings about the issues in the security > considerations section of the WSS 1.1 Username Token Profile Security > Considerations section. > > > Related issues: > > none > > > > Proposed Resolution: > > Not yet. First is there opposition? > > > Hal >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]