kfogel@collab.net wrote:
>Branko Čibej <brane@xbc.nu> writes:
>
>
>>Oof. I just read the CRAM-MD5 RFC, and it doesn't require you to store
>>cleartext on the server. We could store hashed passwd representations
>>on the server without changing client code. But if someone lifted
>>those hashes off of the server, they'd be able to modify the client to
>>authenticate with the server anyway.
>>
>>
>
>Congratulations, you've just come full circle... as does everyone who
>thinks about CRAM-MD5. The hash becomes the plaintext :-).
>
>Basically, if we're not doing public-key cryptography, then we have
>two choices:
>
> Client and server store password hashed, but it goes over the wire
> in the clear.
>
> -or-
>
> Client and server store password in the clear, but it goes over the
> wire hashed.
>
>
-or-
We implement DIGEST-MD5 and get both.
But it's way more complicated that CRAM-MD5.
>We decided to protect the wire, which I think is a good choice.
>
>
Och aye, that it is.
-- Brane
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Nov 13 04:09:46 2004