Re: svnserve password store in clear text

From: Mark Benedetto King <mbk_at_lowlatency.com>
Date: 2004-06-04 03:28:33 CEST

On Fri, Jun 04, 2004 at 12:01:54AM +0100, John Pybus wrote:
> >It's difficult for the client to prove it knows a secret that the
> >server cannot be trusted to know without a PKI of some sort.
>
> and yet there are protocols which accomplish it, such as SRP:
>
> http://www.ietf.org/rfc/rfc2945.txt
> http://srp.stanford.edu/
>
> The server stores only a verifier, and doesn't need to know the plain
> text password for the client to authenticate.
>

Right. Similarly, the server could store the public RSA key of the user,
and send the client a challenge, and the user could encrypt that challenge
with their private key. There are protocols for that sort of thing, too.

In my book, things that require big-number libraries count as "difficult".

--ben

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Jun 4 03:29:11 2004

This message: [ Message body ]
Next message: kfogel_at_collab.net: "Re: [Issue 1904] New - seg fault on 'svn propdel --revprop ...'"
Previous message: Mark Phippard: "Re: svnserve password store in clear text"
In reply to: John Pybus: "Re: svnserve password store in clear text"
Next in thread: John Pybus: "Re: svnserve password store in clear text"
Reply: John Pybus: "Re: svnserve password store in clear text"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]