OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Issue 32: Deriving keys from passwords


This is now logged as issue 32.

Marc Goodner
Technical Diplomat
Microsoft Corporation
Tel: (425) 703-1903
Blog: http://spaces.msn.com/mrgoodner/ 


-----Original Message-----
From: Hal Lockhart [mailto:hlockhar@bea.com] 
Sent: Tuesday, February 14, 2006 1:43 PM
To: ws-sx@lists.oasis-open.org
Cc: Marc Goodner
Subject: [ws-sx] NEW Issue: Deriving keys from passwords

PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL
THE ISSUE IS ASSIGNED A NUMBER.  

The issues coordinators will notify the list when that has occurred.

 

Protocol:   ws-sp
http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/16565/ws
-securitypolicy-1.2-spec-ed-01-r03-diff.doc


 

Artifact:   schema / policy

 

Type:

[design]

 

Title:

WS-SP should permit Policy to specify the use of keys derived from
passwords

 

Description:

At the end of section 5.3.1 it says:

----
Note: While Username tokens could be used cryptographically, such usage
is discouraged in general because of the relatively low entropy
typically associated with passwords. This specification does not define
a cryptographic binding for the Username token. A new token assertion
could be defined to allow for cryptographic binding.
----

I believe that WS-SP should enable all the functionality defined in the
referenced specs. Specifically, WSS 1.1 defines an algorithm for
deriving keys from passwords. I think WS-SP should support this and
allow organizations decide for themselves if they wish to use them or
not. There are already warnings about the issues in the security
considerations section of the WSS 1.1 Username Token Profile Security
Considerations section.
 

Related issues:

none

 

Proposed Resolution:

Not yet. First is there opposition?


Hal


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]