OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [ws-sx] Proposal for Issue #31 - Richer Username Token Policies


Prateek,

Can you point me to the text in[1] that defines this case?

Thanks

Gudge

[1]
http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os
-UsernameTokenProfile.pdf 

> -----Original Message-----
> From: Prateek Mishra [mailto:prateek.mishra@oracle.com] 
> Sent: 30 May 2006 06:57
> To: Hal Lockhart
> Cc: Martin Gudgin; ws-sx@lists.oasis-open.org
> Subject: Re: [ws-sx] Proposal for Issue #31 - Richer Username 
> Token Policies
> 
> 
> [HL]
> 
>  >
>  >Yes. In my view there are four cases:
>  >
>  >1. Username alone sent under signature linked to some other 
> Token, e.g.
>  >X.509. (WS-I Sample apps use this idiom, for example.)
>  >
>  >2. Username alone with key derived from password. Ability to verify
>  >signature or decrypt data verifies password. Undesirable to send
>  >password or hash in message.
>  >
>  >3. Username and text password. Password verified directly. 
> Keys derived
>  >from password would be exposed.
>  >
>  >4. Username and WSS specified hash. Alternative to key 
> derivation, which
>  >is not bound to message content.
>  >
> [HL]
> 
> To this I would add Case 4a: wherein the recipient only has access to
> the SHA-1 hash of the original
> password and the WSS specified hash is constructed over the 
> SHA-1 hash.
> 
> = prateek
> 
> 
> 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]