On 9/8/17 8:13 AM, Sam Whited wrote: > On Wed, Jul 19, 2017, at 23:44, Sam Whited wrote: >> On Wed, Jul 19, 2017 at 8:40 PM, Peter Saint-Andre <[email protected]> >> wrote: >>> What do implementers think is a "reasonable number of iterations"? My >>> sense is that we're talking about at most 4 or 5, and usually 2 or 3. > > Apologies for the long delay, I know this thread is rather old now, but > I was just reminded of this blog post [1] from Spotify that shows that > the non-idempotency of the nickname profile is already a security issue > in the wild and that documenting the fact that it may have security > implications only goes so far. > > —Sam > > [1]: https://labs.spotify.com/2013/06/18/creative-usernames/ >
The Spotify folks faced numerous issues, including the fact that they implemented against an unfinished spec. I'd say that if they now used the PRECIS specs (especially the new ones about to be published) as their guideline, things would have gone much better. Peter
signature.asc
Description: OpenPGP digital signature
_______________________________________________ precis mailing list [email protected] https://www.ietf.org/mailman/listinfo/precis
