[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [ws-sx] Proposal for Issue #31 - Richer Username Token Policies
[HL] > >Yes. In my view there are four cases: > >1. Username alone sent under signature linked to some other Token, e.g. >X.509. (WS-I Sample apps use this idiom, for example.) > >2. Username alone with key derived from password. Ability to verify >signature or decrypt data verifies password. Undesirable to send >password or hash in message. > >3. Username and text password. Password verified directly. Keys derived >from password would be exposed. > >4. Username and WSS specified hash. Alternative to key derivation, which >is not bound to message content. > [HL] To this I would add Case 4a: wherein the recipient only has access to the SHA-1 hash of the original password and the WSS specified hash is constructed over the SHA-1 hash. = prateek
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]