[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss-dev] Question regarding Username Token Profile 1.0
I think digests themselves are not a great way to hide passwords. (MIMs can copy and send digests instead of passwords.) So, if you really want to use passwords, creating a digest along with other variables will ensure better security - and nonce and timestamp provide those variables/mechanisms. However, I think it is part of the recommendations too, you are better off encrypting the usernametoken block if you want to use passwords in clear. But, to answer your question, I think it is technically OK to have plain text password alongwith nonce and timestamp. --- Jahan Moreh <jmoreh@sigaba.com> wrote: > Colleagues - > WSS Username Token Profile 1.0 lines 108-109 states: > If either or both of <wsse:Nonce> and <wsu:Created> > are present they MUST be > included in the digest value as follows:.." > > What if there is no digest value. In other words, > does this spec allow > inclusion of <wsse:Nonce> and <wsu:Created> using > passwords of type > passwordText. Below is an example of what I am > thinking of and was wondering > if this would be considered compliant or not: > > <wsse:Security > > <wsse:UsernameToken > > <wsse:Username>SomeUser</wsse:Username> > <wsse:Password > Type="...#PasswordText">SomePassword</wsse:Password> > > <wsse:Nonce>OGJjZjQwNjI5NzNmZjEzMjkwNDg5YzY4MWQzYTUwYWQ=</wsse:Nonce> > <wsu:Created>2005-08-26T23:19:40Z</wsu:Created> > </wsse:UsernameToken> > </wsse:Security> ... > > I do realize that there are security implications > and in this particular > case there certain mitigating circumstances whose > explanation is beyond the > scope of this message. > > Thanks in advance, > Jahan > > ------------------------------ > Jahan Moreh > Chief Security Architect > 310.288.2141 > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > wss-dev-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: > wss-dev-help@lists.oasis-open.org > > ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]