Greg Hudson <ghudson@MIT.EDU> writes:
> There is a potential out here; the server and client only have to share
> a secret, not necessarily the password itself. I will, at some point,
> look into a way to make it so that the secret is a hash of the password
> together with the authentication domain. I didn't do this initially
> because (1) it's not how CRAM-MD5 is specified, and (2) it complicates
> repository administration and requires us to provide an extra
> command-line tool to perform the password encryption.
How is the "secret" not a "password", then? I'm not seeing how this
fundamentally changes the dynamics of the situation. The server and
client still have to know the same secret, and the secret is not
transmitted in the clear over the network.
By the way, Wey Han, in my original response I didn't realize you were
talking only about svnserve (I saw the message body but not the
subject), so what I said was more applicable to http:// access. Sorry
if that was confusing.
-Karl
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Jun 2 20:14:45 2004