[security-dev] PicketLink 3 - IDM API - Credential Management

[Darran Lofthouse]

On 12/02/2012 11:09 PM, Shane Bryzak wrote:
> On 12/01/2012 09:55 PM, Darran Lofthouse wrote:
>> * Access To The Credential *
>>
>> The next issue is where access to the credential is required or at the
>> very least something is needed to be generated from the credential -
>> this is used in client/server scenarios where the server also proves to
>> the client that it knows the users password.
>>
>> Keeping the Credential so that it can not be retrieved from the IDM is
>> good but it does open up the need to be able to generate some response
>> values within the IDM based on additional information supplied.
>>
>> The example I currently have is regarding Digest authentication, I have
>> a need for the following two hashes to be generated: -
>>
>> "username : realm : password"
>> "username : realm : password : nonce : cnonce"
>>
>> The first could be the pre-hashed password I mention above but the
>> second definitely needs generating on demand as we have both the nonce
>> that was generated from the server and the nonce the client has sent to
>> challenge the server.
>
> +1, as I stated above we need to review the credential management API,
> which since the start of this project has remained relatively
> untouched.  I'll spend some time working on this over the next couple of
> days to come up with a better design.

Feel free to set something up if you want to talk to me further about 
where I am coming from with some of these requirements.

If we can find a way to access some of this sensitive data then for the 
more complex server authentication scenarios these requirements aren't 
going to leak into the IDM - of course then we introduce the problem of 
ensuring access to the sensitive values can be restricted ;-)