OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [ws-sx] Proposal for Issue #31 - Richer Username Token Policies


[HL]

 >
 >Yes. In my view there are four cases:
 >
 >1. Username alone sent under signature linked to some other Token, e.g.
 >X.509. (WS-I Sample apps use this idiom, for example.)
 >
 >2. Username alone with key derived from password. Ability to verify
 >signature or decrypt data verifies password. Undesirable to send
 >password or hash in message.
 >
 >3. Username and text password. Password verified directly. Keys derived
 >from password would be exposed.
 >
 >4. Username and WSS specified hash. Alternative to key derivation, which
 >is not bound to message content.
 >
[HL]

To this I would add Case 4a: wherein the recipient only has access to
the SHA-1 hash of the original
password and the WSS specified hash is constructed over the SHA-1 hash.

= prateek

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]