[no subject]

The bigger issue on the Password Digest is if you
already stored the password in hashed form, then you
cannot use Nonce and Created elements. There is not
option to handle this case in WSS spec. 



Eclogue Chang 

--- Paul Cotton <pcotton@microsoft.com> wrote:
> Please find below an additional comment on the
> WS-Security
> specifications from the WS-I Basic Security Profile
> WG.  Please contact
> me if you have any difficulty interpreting our
> comments.
> 
> /paulc
> Chair, WS-I BSP WG
> 
> Paul Cotton, Microsoft Canada 
> 17 Eleanor Drive, Nepean, Ontario K2E 6A3 
> Tel: (613) 225-5445 Fax: (425) 936-7329 
> mailto:pcotton@microsoft.com
> 
>   
> 
> WSS Username Token Profile
> Comments on Working Draft 4 dated 11 Aug 2003.
> 
> In lines 126-134 of the Username Token Profile,
> counter measures are
> given to thwart replay attacks.  The counter
> measures involve timestamps
> and nonces.  This works as a counter measure when
> the attacker attempts
> to replay the token to the same receiver that
> legitimately received the
> token previously.
> 
> However, it does not cover the case where the token
> is replayed to a
> different receiver.  There are several possible
> approaches for this
> latter case:
>   - including the username in the hash, to thwart
> cases where multiple
> user accounts have matching passwords (e.g.
> passwords based on company
> name)
>   - including the domain name in the hash, to thwart
> cases where the
> same username/password is used in multiple systems
>   - including some indication of the intended
> receiver in the hash, to
> thwart cases where receiving systems don't share
> nonce caches (e.g., two
> separate application clusters in the same security
> domain).
> 
> 
> To unsubscribe from this list, send a post to
> wss-comment-unsubscribe@lists.oasis-open.org, or
> visit http://www.oasis-open.org/mlmanage/.
> 


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com