Re: Seeking advice on security best practice from Mary Ellen Zurko on 2009-01-23 (public-wsc-wg@w3.org from January 2009)

From: Mary Ellen Zurko <mzurko@us.ibm.com>
Date: Fri, 23 Jan 2009 09:06:30 -0500
To: Thomas Roessler <tlr@w3.org>
Cc: "Francois Daoust <fd"<fd@w3.org>,Web Security Context Working Group <public-wsc-wg@w3.org>
Message-ID: <OF389C7A99.DFFE0A5C-ON85257547.004D6D07-85257547.004D801F@LocalDomain>

> > > 1. What are the main dangers associated with the use of hashed
> > > credentials? Identity spoofing?
> >
> > Hashing doesn't ensure a unique value, does it? So I presume in the 
> > backend there's some hash table that tracks state and deals with 
> > conflicts by trying some new has. I thought the security properties 
> > of hashes were that it would be hard to find a second text that 
> > hashes to the same value. Not sure how hard it is to come up with 
> > something that hashes to some randomly useful identity. Seems like a 
> > danger to me, but ianac.
> 
> Well, once you choose enough bits for your hash, that's not the 
> problem.  (With a hash table, you aim at a small number of bits to 
> keep the table small.)
> 
> The real trouble is that you don't want the token to be password- 
> equivalent.
> 

So what is "enough bits"? The same maximum size as your identity? But why 
don't you still have the birthday problem? 
(I reiterate, ianac)

Received on Friday, 23 January 2009 14:07:12 UTC