Hi Jim, On Tue, September 30, 2014 2:16 pm, Jim Schaad wrote: > I can see two problems right off the bat. > > 1. It does not allow me to use a different salted method for different > people so I can upgrade by salt function piecemeal.
Sure it does. The EAP-Identity/Response from the client will indicate the identity, the server looks up that identity in the password database, sees how it's salted and responds appropriately. One entry in the database could be SHA-1 and another could be SHA-256. > 2. It does not allow me to do both SASLprep and salting on the same > password. Yes, I see that might be needed if SASLprep was done on the password before it was salted and stored. Given that SASLprep is already a password pre-processing technique (and it is the value 0x02 while "none" is 0x00 preventing the distinction being a low-order bit) I see no choice but to double all the proposed salting indicators, one for SASLprep before the hashing and one for do nothing to the password before hashing. Would that be satisfactory to you? regards, Dan. > Jim > > > -----Original Message----- > From: Emu [mailto:emu-boun...@ietf.org] On Behalf Of Dan Harkins > Sent: Tuesday, September 30, 2014 12:02 PM > To: emu@ietf.org > Subject: [Emu] salted EAP-pwd > > > Hello EMU, > > I've had requests to add support for salted password databases to > EAP-pwd. > A newly posted draft does just that: > > http://tools.ietf.org/html/draft-harkins-salted-eap-pwd-00 > > Please take a look and comment. > > regards, > > Dan. > > > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu > > _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
