draft-josefsson-password-auth-00.txt

[Martin Rex]

Nicolas Williams wrote:
> 
> > any case, how to salt the password is an open question.  Perhaps the
> 
> Well, you'd want to salt it with the server's name, so the verifier is
> different at each server.  Then again, many sites might object.  So you
> might want a two level verifier derivation where the first step is not
> salted with the server name and the second is -- then one could
> distribute the output of the first step as the verifier for all servers
> in a site.

What you seem to be looking/asking for sounds like "channel bindings"
rather than name-based mutual authentication of the server (many
password-based challenge-response authentication schemes do not
provide mutual authentication).

Keep in mind that it might be difficult for servers and clients
to agree on the same name for the server.  Take Microsoft Kerberos
as an example: there the server usually doesn't know (and doesn't
care) what target name the client is using -- the server will
always try to open service tickets by "brute force" using
his own secret key.  With very few exceptions, service principals
don't exist in Microsofts Kerberos, they're mere aliases known
to the KDC/Active Directory and may be used by clients/initiators--
A Microsoft server/acceptor normally doesn't know or care what service
pricipal aliases exist for his own account and which particular
alias was used by a client, it will look at the realm on the service
ticket to get the salting right, but entirely ignore the principal
name on the ticket.

(At least that is what happend with W2K Kerberos when I tested,
 and it can be verified by setting up two seperate user accounts "b" and "c"
 with the same password (both enabled for rfc-1964 authentication
 if W2K3 AD is used).  A server started under "b" will then
 happily establish security contexts with clients that use "b"
 as the target name as well as clients that use "c" as the target name.)


-Martin