Hi, I would like to propose an idea that will help improve the security of DS password storage for new installations and their future upgrades. I would like to change the default value of passwordStorageScheme to a type called DEFAULT. The implementation of DEFAULT would be an interface to the "current best practice storage mechanism of this release of directory server". This way sites that want to customise their hash types can. Sites that "install and forget" will gain a strong password storage mechanism out of the box. Additionally, we can *change* the DEFAULT mapping in releases as we have better and stronger hashes, or as we learn and get better advice on their security. This way, users who "install and forget" are continually moving forwards with their security as they upgrade versions. When user passwords are changed in their systems, they are updated to the newer hashes etc. I think this would be a trivial feature to implement and add, and I think that the net increase in security for administrators and accounts on their system is huge. Is this something we would like to pursue? -- Sincerely, William Brown Software Engineer Red Hat, Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
-- 389-devel mailing list 389-devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/389-devel@xxxxxxxxxxxxxxxxxxxxxxx
