Skip to Content.
Sympa Menu

assurance - RE: [Assurance] credential renewal or re-issuance

Subject: Assurance

List archive

RE: [Assurance] credential renewal or re-issuance


Chronological Thread 
  • From: "Roy, Nicholas S" <>
  • To: "" <>
  • Subject: RE: [Assurance] credential renewal or re-issuance
  • Date: Mon, 4 Jun 2012 19:20:05 +0000
  • Accept-language: en-US

"I expect this could be another "I don't think it's Silver-quality, but
Silver does, so I'll shut up now" things."

I think it's one of those things. I have decided to take Silver for what it
is, not what I think it should be. If it was what I think it should be, it
would be impossible for me to implement without bringing up an entirely
separate IdP and credential store, including all sorts of special and
difficult to implement things for credential issuance, credential re-issuance
and entropy control.

Because Silver is written the way it is, I fully intend to utilize things
like e-mail (with all its inherent non-security) for credential issuance and
re-issuance.

That said, I think it's odd that preventing snooping passwords off the wire
(even if limited to a wire that "we" "own"), hashing passwords in an (in my
opinion) over-prescribed way and setting complex (and I could argue,
counter-productive) password policies to meet an academic definition of
password-based authentication security is required, but you're allowed to
email passwords to people at registration time.

Nick

-----Original Message-----
From:


[mailto:]
On Behalf Of Cantor, Scott
Sent: Monday, June 04, 2012 10:17 AM
To:

Subject: Re: [Assurance] credential renewal or re-issuance

On 6/4/12 11:05 AM, "Tom Scavo"
<>
wrote:

>In section 4.2.4.3 ("Credential Renewal or Re-issuance") of the Silver
>IAP, it suggests "A short-lived single use Secret sent to the Address of
>Record that the Subject must submit in order to establish a new
>Authentication Secret," which could be interpreted as using email to
>deliver a short-lived secret for the purposes of password reset. However,
>email-based password reset is vulnerable to a lost or stolen mobile phone
>(since mobile phones invariably have access to all the user's e-mail
>accounts) so I'm wondering how people plan to handle password reset for
>Silver compliance?

I can't imagine that's the most significant security risk to using email
for this, so if you think email's secure enough (I don't), I wouldn't
think a lost phone would be a concern.

Also interested to hear the opinions of others. I expect this could be
another "I don't think it's Silver-quality, but Silver does, so I'll shut
up now" things.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page