On 2014-03-25 at 19:15 +0000, Edward Ned Harvey (lopser) wrote: > > From: Bill Bogstad [mailto:bogs...@pobox.com] > > > > 1. If one uses the full hostname for site identification then the > > generated key pair for wiki.foo.com would be different then > > for forums.foo.com. This seems like it could be annoying depending > > on how a site implements site-wide logins. > > A good question. I had to think about it a bit to come up with this > answer: > > Suppose a server has multiple DNS aliases. Such as www.example.com > and example.com. Clientside, how do you know what name to fold into > your key generation process? You might assert "Just use whatever DNS > name the user entered," but that fails, because users *expect* to be > able to login to the site, regardless of whether or not they typed in > "www." into their browser.
You can download and cache a copy of the Mozilla Public Suffix list and be willing to walk up until you reach the public suffix, then backtrack one component. You could even follow along in the IETF Dbound working group if you want to help work on a better system (DNS tree bounds). Of course, this has issues when the list is refreshed. You'll also need rules around "if not recognized as under a public suffix, we only accept the exact hostname as given". I could swear that one of the public password management tools already supported deterministic side-specific passwords, but I'm only finding stuff like <http://plevyak.com/dpg.html> -- where you'd want to download the javascript to run it locally, off trusted source, to protect against a future change (or an active attack changing the JS, since it's not available over HTTPS). Sites found: * http://mypasswd.net/ * http://plevyak.com/dpg.html * http://angel.net/~nic/passwd.html Chrome plugins: * https://chrome.google.com/webstore/detail/password-generator/nnjgaeekiplalipomfgacalgehhcckbp * https://chrome.google.com/webstore/detail/password-hasher-plus-pass/glopbmohkffbnplcjbbbfmmimfhfnhgd Folks might also just consider looking at the existing password _management_ tools, some of which have mobile versions, even though I'm not spotting one with D.S.S.P. support: * LastPass * 1Password * Password Safe (of Bruce Schneier fame) * KeePass -- fully open source So yes, deterministic site-specific password generators have their place and it's good to see an open-source standalone tool not dependent upon a remote site never being compromised and not browser-specific. I'll probably continue to use a password manager, with PGP-based backup. :) I should probably switch to self-built KeePass, to up my paranoia levels. -Phil _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
