>>>>> "Stefan" == Stefan Paetow <[log in to unmask]> writes:
>> I think randomly generated values in a database are a great
>> one-way function unless they somehow fail to meet the definition
>> of one-way on some technicality.
Stefan> Ok, so as long as we specify that the value *MUST NOT* be
Stefan> something that can be computed back to the original username
Stefan> (unless the IdP has been breached, in which case *all* bets
Stefan> are off whichever way you swing it), then we're ok, correct?
Right.
Stefan> If we specify it IETF-style, and then provide some 'sample'
Stefan> identifiers (i.e. "you computed this by hashing a salt + NAI
Stefan> + GSS-Acceptor-Realm and store it in a database", or "you
Stefan> computed this from 256 bytes of stuff from /dev/urandom and
Stefan> stored it alongside the username in LDAP"), would that be
Stefan> useful to the community?
I don't think the IETF-style is really necessary.
|