Re: [Fwd: new draft (draft-arsenault-sacred-reqs-00.txt)]

[David Jablon <dpj@xxxxxxxxxxxxx>]

Regarding the text:
> >          "The protocol MUST prevent off-line brute-force attacks from the
> >          network, and MUST support mechanisms to deter on-line brute-force
> >          attacks.  The protocol MAY support mechanisms to prevent
> >          off-line brute-force attacks from the server."
> >
> > Here's some explanation behind this wording [...]
> > point 3) The primary focus should be on *network-based* off-line attacks,
> > rather than server-based off-line attacks, since the latter may also be
> > addressed in ways that are outside the scope of the protocol.

At 11:42 AM 9/26/00 +0100, Stephen Farrell wrote:
> If we need the explanation behind the wording, then we don't
> have the wording right:-) It is better that what's currently
> there, of course, so we're improving.

Thanks, I think. :-)

> I don't think I follow what is meant by "network-based off-line".
> Can you elaborate?

I meant "network-based off-line attacks" to be the same as "off-line 
brute-force
attacks from the network" -- generally attacks where the enemy is *not* 
presumed
to be in control of the credentials server or have access to secret data on 
the server.
But this enemy may eavesdrop, or pose (unsuccessfully) as a client to the 
server,
or vice-versa, or maybe act as a man-in-the-middle, to obtain some crucial 
data.
He then uses the data off-line to crack a password or private key.

-- David