Password-Digest instead of "cleartext" password in RST
1 view
Skip to first unread message
Axel Nennker
Jan 19, 2009, 5:03:47 PM1/19/09
to ICF-WG-OASIS
Hi,
why are we using a simple Username and Password authentication where
those are send as cleartext to somewhere while
http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os-UsernameTokenProfile.pdf
defines an easy alternative?
Yes, the selector makes extra sure that the certificate of the STS is
not expired, not revoked and the chain is checked that it is issued by
a trusted source... Well, maybe.
I think that it does not hurt (even in javascript) to create a nonce,
a creation date, to concat those with the password and to hash the
result. And then use SSL transport security on top.
too paranoid?
cheers
Axel
why are we using a simple Username and Password authentication where
those are send as cleartext to somewhere while
http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os-UsernameTokenProfile.pdf
defines an easy alternative?
Yes, the selector makes extra sure that the certificate of the STS is
not expired, not revoked and the chain is checked that it is issued by
a trusted source... Well, maybe.
I think that it does not hurt (even in javascript) to create a nonce,
a creation date, to concat those with the password and to hash the
result. And then use SSL transport security on top.
too paranoid?
cheers
Axel
Reply all
Reply to author
Forward
0 new messages