wss-dev message

Subject: RE: [wss-dev] Should UsernameToken Password Equivalent be Base64Encoded after Hashing?

From: Harold Lockhart <hal.lockhart@oracle.com>
To: Patrick Ryan <oasis@pryan.org>, wss-dev@lists.oasis-open.org
Date: Fri, 18 Jun 2010 05:08:44 -0700 (PDT)

The first one. We don't hash base 64.

Hal

> -----Original Message-----
> From: Patrick Ryan [mailto:oasis@pryan.org]
> Sent: Thursday, June 17, 2010 7:52 PM
> To: wss-dev@lists.oasis-open.org
> Subject: [wss-dev] Should UsernameToken Password Equivalent be Base64
> Encoded after Hashing?
> 
> 
> Hello,
> 
> When using WSS UsernameToken Profile 1.1 with passwords of 
> type PasswordDigest using the nonce 
> and creation timestamp, how should the password equivalent be 
> computed?
> 
> There seems to be two candidate methods:
> 
> 1. Password_Digest = Base64 ( SHA-1 ( nonce + created + SHA-1 
> ( password ) ) )
> 
> 2. Password_Digest = Base64 ( SHA-1 ( nonce + created + 
> Base64 ( SHA-1 ( password ) ) ) )
> 
> Which one should be used?  Or is there a third method?
> 
> Thanks,
> Patrick
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: wss-dev-help@lists.oasis-open.org
> 
>

Follow-Ups:
- Re: [wss-dev] Should UsernameToken Password Equivalent be Base64Encoded after Hashing?
  - From: Patrick Ryan <oasis@pryan.org>

References:
- Should UsernameToken Password Equivalent be Base64 Encoded afterHashing?
  - From: Patrick Ryan <oasis@pryan.org>