OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [wss] Username token profile comments


An additional comment on this profile:

In the Threat Model section, it should be stated that, while it is an
improvement over PasswordText, PasswordDigest is not perfect.  It is
vulnerable to a dictionary attack.  Including Nonce+Created at the
beginning of the digested material makes precomputation of a digest
list impossible, but the password may be found by mounting an offline
attack using a single message sample.  Using well-chosen (unguessable)
passwords and/or transport or message confidentiality would help
mitigate this threat.

--Pete
Pete Wenzel <pete@seebeyond.com>
SeeBeyond
Standards & Product Strategy
+1-626-471-6311 (US-Pacific)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]