URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA
pspacek commented: """ @mbasti-rh You are missing the point and thus do not answer my question: The docstring does not tell anything about relation of 'entropy' and the output. What is the relation? Does it assume that attacker knows init parameters of TokenGenerator? Or not? How can we do analysis without knowing threat model first? Does `entropy` mean that the output string simply codes `xxx` bits of entropy, or does it mean that attacker has to guess `xxx` bits of entropy? That should be spelled out. I would argue that for any IPA-internal passwords we must assume that attacker knows the input parameters because he can easily read the source code. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266046041
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
