LID Password Credential

From My MediaWiki

Jump to: navigation, search

A LID password credential is a simple password that is provided as a credential in those operations that require credentials.

Currently, only one form of password credential type is defined, called simple-password. Using it, passwords are being transmitted in clear text.

For example, the following arguments: 

...?lid=http://www.example.com/mylid&lid-credtype=simple-password&lid-credential=football

authenticates the request by stating that the client with LID URL http://www.example.com/mylid wishes to authenticate by providing password football (not a good password by any standard, this is just for illustrative purposes).

Note: as in case of all LID operations, these parameters can be provided as part of the URL, or as the payload in an HTTP POST operation. See LID URL Parameters.

Note: security

Of course, transmitting passwords in cleartext is highly open to attack and thus strongly discouraged. Simple passwords also are not only open to Replay Attacks, but enable an attacker to perform any operation on the target LID Relying Party because, unlike other LID credential types, a password is the same regardless of the operation it authenticates.

Within LID, we strongly encourage you to:

  1. Use credentials that use electronic signatures (such as the LID GPG Credential, or OpenID) wherever possible
  2. Host your LID URL or LID Relying Party using the HTTPS protocol, in particular if you use the simple-password credential type anywhere.
Retrieved from "http://lid.netmesh.org/wiki/LID_Password_Credential"
Personal tools