Menu
▾
▴
Re: [Ejbca-develop] debug log ejbca.sh
|
From: Tomas G. <to...@pr...> - 2015-02-26 16:52:46
|
You know that you can limit how long an enrollment code is active? On February 26, 2015 5:48:06 PM GMT+01:00, Tomas Gustavsson <to...@pr...> wrote: >What's your use case? Why don't you use 24 character randomly generated >one-time enrollment codes? > >You can surely design your work-flow to be more secure, still giving a >decent user experience, better than waiting 30 seconds in a browser >window? > >Cheers, >Tomas > >On February 26, 2015 5:08:03 PM GMT+01:00, "Michael Ströder" ><mi...@st...> wrote: >>Tomas Gustavsson wrote: >>> What's your threat analysis? >>> Are you protecting against someone dumping the EJBCA database trying >>to >>> brute-force one-time enrollment codes before they are being used? >> >>Yes. Or a SQL injection revealing the user's password via web >>application. >> >>> 16 rounds is too slow even for a single use imho. On my laptop a >>single >>> call (a single bcrypt) with 16 rounds takes >20 seconds. >> >>The important factor is at what speed brute force attackers can work. >> >>Ciao, Michael. >> >> >> >>------------------------------------------------------------------------ >> >>------------------------------------------------------------------------------ >>Dive into the World of Parallel Programming The Go Parallel Website, >>sponsored >>by Intel and developed in partnership with Slashdot Media, is your hub >>for all >>things parallel software development, from weekly thought leadership >>blogs to >>news, videos, case studies, tutorials and more. Take a look and join >>the >>conversation now. http://goparallel.sourceforge.net/ >> >>------------------------------------------------------------------------ >> >>_______________________________________________ >>Ejbca-develop mailing list >>Ejb...@li... >>https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > >------------------------------------------------------------------------ > >------------------------------------------------------------------------------ >Dive into the World of Parallel Programming The Go Parallel Website, >sponsored >by Intel and developed in partnership with Slashdot Media, is your hub >for all >things parallel software development, from weekly thought leadership >blogs to >news, videos, case studies, tutorials and more. Take a look and join >the >conversation now. http://goparallel.sourceforge.net/ > >------------------------------------------------------------------------ > >_______________________________________________ >Ejbca-develop mailing list >Ejb...@li... >https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
