IETF Logo Mail Archive

Re: [kitten] Non-Password Password Change

D.Rogers@gmx.net Mon, 19 October 2015 21:48 UTC

Return-Path: <D.Rogers@gmx.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FD5E1B2D00 for <kitten@ietfa.amsl.com>; Mon, 19 Oct 2015 14:48:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.013
X-Spam-Level:
X-Spam-Status: No, score=0.013 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sX-3TGL_-biv for <kitten@ietfa.amsl.com>; Mon, 19 Oct 2015 14:48:06 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B1221AD0B7 for <kitten@ietf.org>; Mon, 19 Oct 2015 14:48:06 -0700 (PDT)
Received: from [217.244.146.93] by 3capp-gmx-bs18.server.lan (via HTTP); Mon, 19 Oct 2015 23:48:04 +0200
MIME-Version: 1.0
Message-ID: <trinity-2f423d5f-4c7e-4e1d-94f0-1e866352725d-1445291284061@3capp-gmx-bs18>
From: D.Rogers@gmx.net
To: Greg Hudson <ghudson@mit.edu>
Content-Type: text/html; charset="UTF-8"
Date: Mon, 19 Oct 2015 23:48:04 +0200
Importance: normal
Sensitivity: Normal
In-Reply-To: <56201FF6.4070902@mit.edu>
References: <63860D22-138C-430F-B615-06CBB14654CC@oxy.edu>, <56201FF6.4070902@mit.edu>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K0:alZrvHIxVIZS7bjG2zttnihrrO7dSb9xFSTA/5z3TI+ qmpnn+t86CsUsiFhesVS7qFZ4a/SQx7+4TkBStGdtMfE0Xzjiu agA84ohpOMCuN0SJy2HHjPIuuOnJUiguU05eePxZXLmGyfPk/M aoQaOasAC3dSH0gS1jTg0AvV0G03ymaEk6UM3cfIlBi5UlXkFk ooI36ljl2WP/y68f8DXqwTNAzjr4/DEGCM9iUtaFuEQOSjdqCA aZWTIglho8rWk5iX6zPqNeeCXakvK7xACdGKGrAoE/tki+3Z+K BSjHYY=
X-UI-Out-Filterresults: notjunk:1;V01:K0:fYVWpoohBZE=:EH0GQdiC6Q1TIle8+9sxhS J8RcewjKXntQW8JQslvd4blPCkJQ3KLPmy4mTCRLHx+bRpSRKd/8YPcv6indeZrs7rs0oG3/N RuKAVfb9SaK7iibIX52x7KMdMlDatTOXPDfnzafNGAp79EtZzz4XOJVZiJDD5t8ydKWbP/INL /jL27tvjwYwvvZvijOSHkEeGeh0kedfkIdG9Bm2dtbtqLccztQUFPseZigea6xCUitQvVhPkS 53ld9GN/BurK0WTIvT3dKD/HjMaTSE2Y6eOPfSvrTkcR5MGDEDkdtFLwCTElj7qdBAQwjsSrq 7mkjrY4I2Y2B1j7XgNYF4/mCms2IF3Z4kmsNHH2ndmD14+sP5jYA6qeN8sJ1VRKzQPjGBesn1 PiE7anjKvfdMFwnkshPNDv7V655DXjpiULlKdLTx7ctGM9twp4LKIbttbsAOxWqXdlRWpV+cw sJxMuAaHJA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/ADyOvnZfM6dJoqFbE9cXPooSPvw>
Cc: kitten@ietf.org
Subject: Re: [kitten] Non-Password Password Change
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Oct 2015 21:48:08 -0000

Isnt the Server generating a random password effectively similar to many hardware Tokens, or more recently Smart Apps, generating one.
The password change protocol would then have to consider changes to the semi-static (user pwd) concatenating it with the spontaneously generated one.
Observation shows these implementations exist, though they may be proprietary.
 
Dean
Gesendet: Donnerstag, 15. Oktober 2015 um 23:51 Uhr
Von: "Greg Hudson" <ghudson@mit.edu>
An: "Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>, kitten@ietf.org
Betreff: Re: [kitten] Non-Password Password Change
On 10/15/2015 03:59 PM, Henry B (Hank) Hotz, CISSP wrote:
> There’s been work on improved password change protocols, but I’m not sure how much actually completed. I also remember once suggesting that loading a KDB entry from a keytab file would be useful, at least for handling cross-realm principals.

I believe the most recent work is:

https://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-set-passwd-08" target="_blank" rel="nofollow">https://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-set-passwd-08

I vaguely recall an explicit decision not to continue with that work
because no one believed they were likely to implement it.

> Are there any password change protocols where you can supply the enctype and a key instead of a text password?

This is probably obvious, but any such facility allows the client to
circumvent password policies, and therefore usually require special
permissions.

I believe you are correct that in current implementations, the only way
to do that is via implementation-specific admin interfaces.

Another mode I would find interesting is one where the server makes up a
new password and tells you what it is. I don't know if it would get
much use (I've never seen passwords managed that way in any
environment), but it seems like a reasonable way to mitigate risk.

_______________________________________________
Kitten mailing list
Kitten@ietf.org
https://www.ietf.org/mailman/listinfo/kitten" target="_blank" rel="nofollow">https://www.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email