confusion in ank.

Daniel Kahn Gillmor dkg-mit.edu at fifthhorseman.net
Mon Apr 23 13:07:05 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon 2007-04-23 11:52:36 -0400, Nicolas Williams wrote:

> Password quality policies certainly shouldn't apply to randomly-
> generated keys, but that does not mean that there cannot be a key
> expiration policy.

i agree that it's worthwhile to support expiration policy for
randomly-generated keys.  One could even argue for iteratively
applying password-quality policies to randomy-generated keys from a
pragmatic approach:

In the unlikely event the randomly-generated key happens to be
guessable by common tools (dictionary attacks, limited character
classes, etc), it's probably worth generating a new random key.  While
this reduces the overall space of possible random keys, it does keep
the random keys out of the (admittedly tiny) space regularly probed by
the most common brute force attackers.

      --dkg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8+ <http://mailcrypt.sourceforge.net/>

iD8DBQFGLOe3iXTlFKVLY2URAmTRAJ9eiJ2qnt5N22NhhMLE+8jQeD9U+QCffrXU
FuRYHsQwMjmsxx+7nDs3PxU=
=MNUn
-----END PGP SIGNATURE-----



More information about the Kerberos mailing list