[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issue 32: Deriving keys from passwords
This is now logged as issue 32. Marc Goodner Technical Diplomat Microsoft Corporation Tel: (425) 703-1903 Blog: http://spaces.msn.com/mrgoodner/ -----Original Message----- From: Hal Lockhart [mailto:hlockhar@bea.com] Sent: Tuesday, February 14, 2006 1:43 PM To: ws-sx@lists.oasis-open.org Cc: Marc Goodner Subject: [ws-sx] NEW Issue: Deriving keys from passwords PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER. The issues coordinators will notify the list when that has occurred. Protocol: ws-sp http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.php/16565/ws -securitypolicy-1.2-spec-ed-01-r03-diff.doc Artifact: schema / policy Type: [design] Title: WS-SP should permit Policy to specify the use of keys derived from passwords Description: At the end of section 5.3.1 it says: ---- Note: While Username tokens could be used cryptographically, such usage is discouraged in general because of the relatively low entropy typically associated with passwords. This specification does not define a cryptographic binding for the Username token. A new token assertion could be defined to allow for cryptographic binding. ---- I believe that WS-SP should enable all the functionality defined in the referenced specs. Specifically, WSS 1.1 defines an algorithm for deriving keys from passwords. I think WS-SP should support this and allow organizations decide for themselves if they wish to use them or not. There are already warnings about the issues in the security considerations section of the WSS 1.1 Username Token Profile Security Considerations section. Related issues: none Proposed Resolution: Not yet. First is there opposition? Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]