[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
pspacek
freeipa-github-notification at redhat.com
Fri Dec 9 15:48:02 UTC 2016
URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA
pspacek commented:
"""
@mbasti-rh You are missing the point and thus do not answer my question: The docstring does not tell anything about relation of 'entropy' and the output. What is the relation?
Does it assume that attacker knows init parameters of TokenGenerator? Or not? How can we do analysis without knowing threat model first? Does `entropy` mean that the output string simply codes `xxx` bits of entropy, or does it mean that attacker has to guess `xxx` bits of entropy? That should be spelled out.
I would argue that for any IPA-internal passwords we must assume that attacker knows the input parameters because he can easily read the source code.
"""
See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266046041
More information about the Freeipa-devel
mailing list