Re: Seeking advice on security best practice from Mary Ellen Zurko on 2009-01-23 (public-wsc-wg@w3.org from January 2009)

From: Mary Ellen Zurko <mzurko@us.ibm.com>
Date: Fri, 23 Jan 2009 08:55:38 -0500
To: "Francois Daoust <fd" <fd@w3.org>
Cc: Web Security Context Working Group <public-wsc-wg@w3.org>
Message-ID: <OFD7575790.9AE7E6A8-ON85257547.004C0D48-85257547.004C812C@LocalDomain>

> 1. What are the main dangers associated with the use of hashed 
> credentials? Identity spoofing?

Hashing doesn't ensure a unique value, does it? So I presume in the 
backend there's some hash table that tracks state and deals with conflicts 
by trying some new has. I thought the security properties of hashes were 
that it would be hard to find a second text that hashes to the same value. 
Not sure how hard it is to come up with something that hashes to some 
randomly useful identity. Seems like a danger to me, but ianac. 

> 2. Are there practical recipes to avoid the dangers (e.g. "encrypt the 
> client's IP address in the hashed credentials to ensure they cannot be 
> used by some other client"?)

Just encrypt the identity then. Be sure to avoid standard cryptographic 
mistakes, and protect against reply and changes. Oh wait, that's what that 
SSL does :-). 

> 3. Can we consider it a good practice? In some not-highly-sensitive 
> cases, e.g. for applications that use identity to personalize the 
> look-and-feel? Never?

Well if your security model is "nbd", then it sounds fine to me! But then, 
which use any cryptography at all?

Received on Friday, 23 January 2009 13:56:18 UTC