Re: [security-dev] PicketLink 3 - IDM API - Credential Management

On 12/01/2012 09:55 PM, Darran Lofthouse wrote: > * Access To The Credential * > > The next issue is where access to the credential is required or at the > very least something is needed to be generated from the credential - > this is used in client/server scenarios where the server also proves to > the client that it knows the users password. > > Keeping the Credential so that it can not be retrieved from the IDM is > good but it does open up the need to be able to generate some response > values within the IDM based on additional information supplied. > > The example I currently have is regarding Digest authentication, I have > a need for the following two hashes to be generated: - > > "username : realm : password" > "username : realm : password : nonce : cnonce" > > The first could be the pre-hashed password I mention above but the > second definitely needs generating on demand as we have both the nonce > that was generated from the server and the nonce the client has sent to > challenge the server. +1, as I stated above we need to review the credential management API, which since the start of this project has remained relatively untouched. I'll spend some time working on this over the next couple of days to come up with a better design.