Re: [websec] [http-auth] [saag] Fwd: re-call for IETF http-auth BoF
Yutaka OIWA <y.oiwa@aist.go.jp> Thu, 23 June 2011 02:52 UTC
Return-Path: <yutaka-oiwa-aist-temp@g.oiwa.jp>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 856941F0C3F; Wed, 22 Jun 2011 19:52:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.904
X-Spam-Level:
X-Spam-Status: No, score=-2.904 tagged_above=-999 required=5 tests=[AWL=0.073, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NsDXd0-+oIPy; Wed, 22 Jun 2011 19:52:41 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 709521F0C38; Wed, 22 Jun 2011 19:52:41 -0700 (PDT)
Received: by gya6 with SMTP id 6so837314gya.31 for <multiple recipients>; Wed, 22 Jun 2011 19:52:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.150.66.20 with SMTP id o20mr1653832yba.344.1308797560807; Wed, 22 Jun 2011 19:52:40 -0700 (PDT)
Sender: yutaka@g.oiwa.jp
X-Google-Sender-Delegation: yutaka@g.oiwa.jp
Received: by 10.151.153.19 with HTTP; Wed, 22 Jun 2011 19:52:40 -0700 (PDT)
In-Reply-To: <4E484152-2FF6-4374-B8D4-DCDA0D12ABBD@jpl.nasa.gov>
References: <trg0YszL9F4Q.471l1SVV@smtp.o2.co.uk> <BANLkTi=seeFm0F0TFoA9__uERg_F1L37Tg@mail.gmail.com> <E3C31DB7-6AAA-4EF0-BA5F-BBE7C7EA6EEA@w3.org> <08A16114-A59F-4EA7-906B-E1273C6A0100@gmail.com> <BANLkTikR9Ud5-yFzjYxu+V0vqcQCExyF4g@mail.gmail.com> <53857.196.220.229.163.1308763299.squirrel@mail.unijos.edu.ng> <4E484152-2FF6-4374-B8D4-DCDA0D12ABBD@jpl.nasa.gov>
Date: Thu, 23 Jun 2011 11:52:40 +0900
X-Google-Sender-Auth: SzZgA12GrfnI-4N8P0vs65rNFfQ
Message-ID: <BANLkTikXDfnT1Fr=1j1Y6YMjqx7w7UBeXQ@mail.gmail.com>
From: Yutaka OIWA <y.oiwa@aist.go.jp>
To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "public-identity@w3.org" <public-identity@w3.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "websec@ietf.org" <websec@ietf.org>, "gogwim@unijos.edu.ng" <gogwim@unijos.edu.ng>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [websec] [http-auth] [saag] Fwd: re-call for IETF http-auth BoF
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2011 02:52:42 -0000
2011/6/23 Henry B. Hotz <hotz@jpl.nasa.gov>: > I can agree in principle, but in practice the definition of "weak" is too fuzzy. > > On Jun 22, 2011, at 10:21 AM, GOGWIM, JOEL GODWIN wrote: > >> Supported. >> Weak and predictable passwords should be avoided. 2011/6/23 Nico Williams <nico@cryptonector.com>: > Also, all passwords that users must remember should be considered weak. This is a terminology issue, and I present here *my* use of such terminologies in general. = strong secret and weak secret = "strong" secrets are the secret data which has an entropy comparable to other security parameters (e.g. encryption key length etc.) They typically include public-key-cryptography secret keys, DH-key-exchanged shared keys, randomly-generated nonce-like bearer tokens and others. "weak" secrets are the secret data which has not enough entropy compared to encryption etc. PINs, Passwords and passphrases are typical examples. They should not be used for encryptions without some security-amplifications (e.g. password-authenticated key exchanges.) In this meaning, all memorable passwords are weak. = strong passwords/passphrases and weak passwords = I use the term "weak passwords" almost equivalent to predictable passwords or brute-force searchable passwords. The required strength may depend on the context, e.g. whether the passwords search can be off-line, or whether a pre-computed dictionary of hashed passwords can be useful, etc. but many people will agree that "1" and "1234" are weak, and "cA6mqUPgBpe6pQf7" is strong as a password. I prefer using "predictable" and "unpredictable" for this meanings.
- [websec] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [websec] re-call for IETF http-auth BoF Harry Halpin
- Re: [websec] re-call for IETF http-auth BoF Yutaka OIWA
- Re: [websec] [http-auth] re-call for IETF http-au… Julian Reschke
- Re: [websec] [http-auth] re-call for IETF http-au… Phillip Hallam-Baker
- Re: [websec] [http-auth] re-call for IETF http-au… Alexey Melnikov
- Re: [websec] [saag] [http-auth] re-call for IETF … Peter Gutmann
- Re: [websec] [saag] [http-auth] re-call for IETF … Nico Williams
- Re: [websec] [saag] [http-auth] re-call for IETF … Stephen Farrell
- Re: [websec] [saag] [http-auth] re-call for IETF … KIHARA, Boku
- [websec] Fwd: [saag] [http-auth] re-call for IETF… KIHARA, Boku
- Re: [websec] Fwd: [saag] [http-auth] re-call for … Thomas Roessler
- Re: [websec] [saag] [http-auth] re-call for IETF … Yutaka OIWA
- Re: [websec] [saag] Fwd: [http-auth] re-call for … SHIMIZU, Kazuki
- Re: [websec] [saag] Fwd: [http-auth] re-call for … Yutaka OIWA
- Re: [websec] [http-auth] [saag] Fwd: re-call for … Yutaka OIWA
- Re: [websec] [saag] Fwd: [http-auth] re-call for … Marsh Ray
- Re: [websec] [saag] [http-auth] re-call for IETF … Thomas Fossati
- Re: [websec] [saag] [http-auth] re-call for IETF … Phillip Hallam-Baker