Refeds


Subject Re: draft charge, refeds working group on attribute release
From John Bradley <ve7jtb@xxxxxxxxxx>
Date Tue, 5 Jul 2011 16:12:23 -0400

The catch is the entropy is over the lifetime of the password. 

That introduces password rotation, unless you have other methods in place to stop brute force attacks.

It isn't hard to do LoA 1 passwords, but it requires some work.

The other issue is that the password can never be passed in clear text by any system.   That presents problems for some back office systems, or email and other API that use the same password.

The password must be secure everywhere not  just in the SSO.  The SSO is much easier to deal with than some of the other linked systems.

Everyone should be able to do LoA 1, but I would not consider that trivial work for some.

John B.
On 2011-07-05, at 3:35 PM, David Chadwick wrote:

> Hi Leif
> 
> unfortunately you have quoted 800-63 wrongly. The entropy required for LOA 1 is only 1 in 2**10, or 1 in 1024, not 1 in 2**1024. This is very very different. Appendix A also says that a system that assigns subscribers 6 character passwords, randomly selected, from a 96 char set, meets LOA 2 and has an entropy of 1 in 16K. So if Level 2 only requires 6 random char passwords, how onerous could it be to meet LOA 1 with one sixteenth of the strength?
> 
> regards
> 
> David
> 
> On 05/07/2011 14:02, Leif Johansson wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> On 07/05/2011 02:29 PM, David Chadwick wrote:
>>> Hi Leif
>>> 
>>> LOA1 is defined as little or no confidence. So in the worst case it is
>>> zero. And there is no way of differentiating between little and nothing
>>> since both get a score of 1.
>> 
>> No it is not. What gave you that idea?
>> 
>>> 
>>> Could you please enumerate these non-trivial requirements for no
>>> confidence? I know that passwords must not be sent in the clear, but I
>>> dont count this as non-trivial do you? (Its been an IETF requirement for
>>> over a decade).
>> 
>> Read Appendix A of SP 800-63 for background. Passwords a LoA1 must have
>> an entropy of 2**1024 over their lifetime. Also read Eric Sachs notes on
>> googles OIX LOA1 certification:
>> http://sites.google.com/site/oauthgoog/oixgsacert
>> 
>> 	Cheers Leif
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>> 
>> iEYEARECAAYFAk4TC3YACgkQ8Jx8FtbMZnee5QCglg1AXqlNMSE9n5LdIXlaMpDI
>> 3x4AoLLL8x+hWHTTBMNriLrei/Nk5pgN
>> =uE8p
>> -----END PGP SIGNATURE-----
>> 
> 
> -- 
> 
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> School of Computing, University of Kent, Canterbury, CT2 7NF
> Skype Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick@xxxxxxxxxx
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
> 
> *****************************************************************