OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Password Digest

UsernameToken Profile, working draft 4, 11/08/2003,  
Line 106-108 talks about digested password offers no
additional security. Did I miss something here? The
issue is not what is sent over the network; instead it
is how the services side compares the password. If the
clear text password is used, then the Services
Provider has to store the clear text password for
password validation. This is a security issue. 

Also, Line 119 Password_Digest = Base64(SHA-1(nonce +
created + password))  has the same problem. In this
case, the Service Provider unable to store hashed
password, instead it has to store the clear text
password in its database. This will create a big
security issue. 

If the password digest change to the follow, then this
issue goes away.  

Password_Digest = Base64(SHA-1(nonce + created +
SHA-1(password)))  

Can this suggestion be considered? 


Eclouge  Chang 





__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]