[jboss-jira] [JBoss JIRA] (ELY-183) Protocols for password changing

[Jan Kalina (JIRA)]

    [ https://issues.jboss.org/browse/ELY-183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13463559#comment-13463559 ] 

Jan Kalina commented on ELY-183:
--------------------------------

[~czacharym] I just checked the SRP protocol and it looks like it is only for authorization, not for password change - or am I looking bad?

> Protocols for password changing
> -------------------------------
>
>                 Key: ELY-183
>                 URL: https://issues.jboss.org/browse/ELY-183
>             Project: WildFly Elytron
>          Issue Type: Enhancement
>          Components: API / SPI
>            Reporter: Darran Lofthouse
>             Fix For: 1.2.0.Beta5
>
>
> Potentially this is a bit of a research task, as I have mentioned in a couple of places I don't like relying on SSL exclusively for confidentiality - my reasons being it is perfect until their is a compromise and then it is as useful as a chocolate tea pot ;-)
> A lot of the emphasis in the Elytron development so far has been implementation of the more secure SASL mechanisms to eliminate weak password exchanges between a client and the server - however we still have the need for password to be set remotely, this task is to explore some of those options.
> Are there any existing protocols to remotely set a password securely?
> Is there anything specific to our current password types we can take advantage of?
> Are there features of any of our SASL mechanisms to apply a second layer of confidentiality?
> Any other options?



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)