[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: RFC: Encrypting ~/.subversion/auth on Windows

From: Branko Čibej <brane_at_xbc.nu>
Date: 2004-11-13 04:09:48 CET

kfogel@collab.net wrote:

>Branko Čibej <brane@xbc.nu> writes:
>>Oof. I just read the CRAM-MD5 RFC, and it doesn't require you to store
>>cleartext on the server. We could store hashed passwd representations
>>on the server without changing client code. But if someone lifted
>>those hashes off of the server, they'd be able to modify the client to
>>authenticate with the server anyway.
>Congratulations, you've just come full circle... as does everyone who
>thinks about CRAM-MD5. The hash becomes the plaintext :-).
>Basically, if we're not doing public-key cryptography, then we have
>two choices:
> Client and server store password hashed, but it goes over the wire
> in the clear.
> -or-
> Client and server store password in the clear, but it goes over the
> wire hashed.

    We implement DIGEST-MD5 and get both.

But it's way more complicated that CRAM-MD5.

>We decided to protect the wire, which I think is a good choice.
Och aye, that it is.

-- Brane

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Nov 13 04:09:46 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.