- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 23 Jan 2009 14:59:36 +0100
- To: "Mary Ellen Zurko" <mzurko@us.ibm.com>
- Cc: "Francois Daoust <fd" <fd@w3.org>, Web Security Context Working Group <public-wsc-wg@w3.org>
On 23 Jan 2009, at 14:55, Mary Ellen Zurko wrote: > > 1. What are the main dangers associated with the use of hashed > > credentials? Identity spoofing? > > Hashing doesn't ensure a unique value, does it? So I presume in the > backend there's some hash table that tracks state and deals with > conflicts by trying some new has. I thought the security properties > of hashes were that it would be hard to find a second text that > hashes to the same value. Not sure how hard it is to come up with > something that hashes to some randomly useful identity. Seems like a > danger to me, but ianac. Well, once you choose enough bits for your hash, that's not the problem. (With a hash table, you aim at a small number of bits to keep the table small.) The real trouble is that you don't want the token to be password- equivalent.
Received on Friday, 23 January 2009 13:59:45 UTC