OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [ws-sx] Issue 32: Deriving keys from passwords

Hal,

I agree that given the spec allows sp:RequireDerivedKeys inside Username
Token assertions, the text you cite at the end of section 5.3.1 is
contradictary.

I propose we remove said text. 

Cheers

Gudge

 

> -----Original Message-----
> From: Marc Goodner [mailto:mgoodner@microsoft.com] 
> Sent: 14 February 2006 13:45
> To: Hal Lockhart; ws-sx@lists.oasis-open.org
> Subject: [ws-sx] Issue 32: Deriving keys from passwords
> 
> This is now logged as issue 32.
> 
> Marc Goodner
> Technical Diplomat
> Microsoft Corporation
> Tel: (425) 703-1903
> Blog: http://spaces.msn.com/mrgoodner/ 
> 
> 
> -----Original Message-----
> From: Hal Lockhart [mailto:hlockhar@bea.com] 
> Sent: Tuesday, February 14, 2006 1:43 PM
> To: ws-sx@lists.oasis-open.org
> Cc: Marc Goodner
> Subject: [ws-sx] NEW Issue: Deriving keys from passwords
> 
> PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL
> THE ISSUE IS ASSIGNED A NUMBER.  
> 
> The issues coordinators will notify the list when that has occurred.
> 
>  
> 
> Protocol:   ws-sp
> http://www.oasis-open.org/apps/org/workgroup/ws-sx/download.ph
> p/16565/ws
> -securitypolicy-1.2-spec-ed-01-r03-diff.doc
> 
> 
>  
> 
> Artifact:   schema / policy
> 
>  
> 
> Type:
> 
> [design]
> 
>  
> 
> Title:
> 
> WS-SP should permit Policy to specify the use of keys derived from
> passwords
> 
>  
> 
> Description:
> 
> At the end of section 5.3.1 it says:
> 
> ----
> Note: While Username tokens could be used cryptographically, 
> such usage
> is discouraged in general because of the relatively low entropy
> typically associated with passwords. This specification does 
> not define
> a cryptographic binding for the Username token. A new token assertion
> could be defined to allow for cryptographic binding.
> ----
> 
> I believe that WS-SP should enable all the functionality 
> defined in the
> referenced specs. Specifically, WSS 1.1 defines an algorithm for
> deriving keys from passwords. I think WS-SP should support this and
> allow organizations decide for themselves if they wish to use them or
> not. There are already warnings about the issues in the security
> considerations section of the WSS 1.1 Username Token Profile Security
> Considerations section.
>  
> 
> Related issues:
> 
> none
> 
>  
> 
> Proposed Resolution:
> 
> Not yet. First is there opposition?
> 
> 
> Hal
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]