Re: [ldapext] [ldap] Re: draft-stroeder-hashed-userpassword-values-01
Howard Chu <hyc@highlandsun.com> Thu, 14 March 2013 19:35 UTC
Return-Path: <hyc@highlandsun.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4344F11E8192 for <ldapext@ietfa.amsl.com>; Thu, 14 Mar 2013 12:35:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.374
X-Spam-Level:
X-Spam-Status: No, score=-2.374 tagged_above=-999 required=5 tests=[AWL=-0.075, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHNmNUzrYlrK for <ldapext@ietfa.amsl.com>; Thu, 14 Mar 2013 12:35:05 -0700 (PDT)
Received: from mail.highlandsun.com (mail.highlandsun.com [70.87.222.79]) by ietfa.amsl.com (Postfix) with ESMTP id 1AFED11E80BF for <ldapext@ietf.org>; Thu, 14 Mar 2013 12:35:05 -0700 (PDT)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.highlandsun.com (Postfix) with ESMTP id 43C8984ED5; Thu, 14 Mar 2013 15:35:01 -0400 (EDT)
Message-ID: <51422664.1040209@highlandsun.com>
Date: Thu, 14 Mar 2013 12:35:00 -0700
From: Howard Chu <hyc@highlandsun.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 SeaMonkey/2.19a1
MIME-Version: 1.0
To: Michael Ströder <michael@stroeder.com>, ldapext <ldapext@ietf.org>
References: <5103F924.2070800@stroeder.com> <CABBgLkcnK7WfthFOBD5Esfz+g1izcKoGgtxzKKDntc0i=E7LOQ@mail.gmail.com> <510782A6.7050209@stroeder.com> <3ED81CD8-59DA-482E-8AFA-C68E53A62067@isode.com> <51410020.4020800@stroeder.com> <20130314001901.GN18706@slab.skills-1st.co.uk> <5141F560.6040805@highlandsun.com> <5142171C.6090807@stroeder.com>
In-Reply-To: <5142171C.6090807@stroeder.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: "ldap@umich.edu" <ldap@umich.edu>
Subject: Re: [ldapext] [ldap] Re: draft-stroeder-hashed-userpassword-values-01
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 19:35:06 -0000
Michael Ströder wrote:
> Well, at first I simply wanted to ignore this completely.
> But after Andrews request I've already changed it for upcoming -02 like this:
I think you need to re-read RFC5234.
>
> userpasswordvalue = cleartext-password / prefix hashed-password
>
> prefix = "{" scheme "}"
> scheme = %x30-39 / %x41-5A / %x61-7a / %x2D-2F / %x5F
> ;0-9, A-Z, a-z, "-", ".", "/", or "_"
Should be something like
schemechar = %x30-39 / %x41-5A / %x61-7a / %x2D-2F / %x5F
scheme = 1*schemechar
>
> hashed-password = b64-hashandsalt / crypt3-result
>
> b64-hashandsalt = <base64 of hashandsalt>
>
> hashandsalt = password-hash salt
>
> password-hash = <digest of cleartext-password salt>
> cleartext-password = %x00-FF
>
> salt = %x00-FF
Should be something like
octet = %x00-FF
cleartext-password = 1*octet
salt = 0*octet
(Or perhaps you allow zero-length passwords? Don't care much either way.)
md5-hash = 16octet
sha1-hash = 20octet
...
> crypt3-result = <generated by Unix function crypt(3)>
>
> Please review this. Comments about clarity welcome.
>
> Ciao, Michael.
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
- [ldapext] Any implementations using userPassword;… Michael Ströder
- Re: [ldapext] Any implementations using userPassw… Luke Howard
- Re: [ldapext] Any implementations using userPassw… Andrew Sciberras
- Re: [ldapext] Any implementations using userPassw… Michael Ströder
- Re: [ldapext] Any implementations using userPassw… Kurt Zeilenga
- [ldapext] draft-stroeder-hashed-userpassword-valu… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Kurt Zeilenga
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Michael Ströder
- [ldapext] draft-stroeder-hashed-userpassword-valu… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Andrew Findlay
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Ludovic Poitou
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Howard Chu
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Kurt Zeilenga
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Michael Ströder
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Howard Chu
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Michael Ströder
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Howard Chu
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Michael Ströder
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Andrew Findlay
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Kurt Zeilenga
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Andrew Findlay
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Andrew Findlay
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Howard Chu
- Re: [ldapext] [ldap] Re: draft-stroeder-hashed-us… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Michael Ströder
- Re: [ldapext] draft-stroeder-hashed-userpassword-… Hallvard Breien Furuseth