OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss-dev] Question regarding Username Token Profile 1.0

I think digests themselves are not a great way to hide
passwords. (MIMs can copy and send digests instead of
passwords.)

So, if you really want to use passwords, creating a
digest along with other variables will ensure better
security - and nonce and timestamp provide those
variables/mechanisms.

However, I think it is part of the recommendations
too, you are better off encrypting the usernametoken
block if you want to use passwords in clear.

But, to answer your question, I think it is
technically OK to have plain text password alongwith
nonce and timestamp.


--- Jahan Moreh <jmoreh@sigaba.com> wrote:

> Colleagues - 
> WSS Username Token Profile 1.0 lines 108-109 states:
> If either or both of <wsse:Nonce> and <wsu:Created>
> are present they MUST be
> included in the digest value as follows:.."
> 
> What if there is no digest value. In other words,
> does this spec allow
> inclusion of <wsse:Nonce> and <wsu:Created> using
> passwords of type
> passwordText. Below is an example of what I am
> thinking of and was wondering
> if this would be considered compliant or not:
> 
> <wsse:Security >
>  <wsse:UsernameToken >
>   <wsse:Username>SomeUser</wsse:Username>
>    <wsse:Password
> Type="...#PasswordText">SomePassword</wsse:Password>
>   
>
<wsse:Nonce>OGJjZjQwNjI5NzNmZjEzMjkwNDg5YzY4MWQzYTUwYWQ=</wsse:Nonce>
>    <wsu:Created>2005-08-26T23:19:40Z</wsu:Created>
>  </wsse:UsernameToken>
> </wsse:Security> ...
> 
> I do realize that there are security implications
> and in this particular
> case there certain mitigating circumstances whose
> explanation is beyond the
> scope of this message.
> 
> Thanks in advance,
> Jahan
> 
> ------------------------------
> Jahan Moreh
> Chief Security Architect
> 310.288.2141
> 
> 
> 
> 
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> wss-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail:
> wss-dev-help@lists.oasis-open.org
> 
> 



		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]