Title: #317: Unify password generation across FreeIPA
@mbasti-rh You are missing the point and thus do not answer my question: The
docstring does not tell anything about relation of 'entropy' and the output.
What is the relation?
Does it assume that attacker knows init parameters of TokenGenerator? Or not?
How can we do analysis without knowing threat model first? Does `entropy` mean
that the output string simply codes `xxx` bits of entropy, or does it mean that
attacker has to guess `xxx` bits of entropy? That should be spelled out.
I would argue that for any IPA-internal passwords we must assume that attacker
knows the input parameters because he can easily read the source code.
See the full comment at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code