[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx] Proposal for Issue #31 - Richer Username Token Policies
Prateek, Can you point me to the text in[1] that defines this case? Thanks Gudge [1] http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os -UsernameTokenProfile.pdf > -----Original Message----- > From: Prateek Mishra [mailto:prateek.mishra@oracle.com] > Sent: 30 May 2006 06:57 > To: Hal Lockhart > Cc: Martin Gudgin; ws-sx@lists.oasis-open.org > Subject: Re: [ws-sx] Proposal for Issue #31 - Richer Username > Token Policies > > > [HL] > > > > >Yes. In my view there are four cases: > > > >1. Username alone sent under signature linked to some other > Token, e.g. > >X.509. (WS-I Sample apps use this idiom, for example.) > > > >2. Username alone with key derived from password. Ability to verify > >signature or decrypt data verifies password. Undesirable to send > >password or hash in message. > > > >3. Username and text password. Password verified directly. > Keys derived > >from password would be exposed. > > > >4. Username and WSS specified hash. Alternative to key > derivation, which > >is not bound to message content. > > > [HL] > > To this I would add Case 4a: wherein the recipient only has access to > the SHA-1 hash of the original > password and the WSS specified hash is constructed over the > SHA-1 hash. > > = prateek > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]