kfogel@collab.net wrote:
>Branko Čibej <brane@xbc.nu> writes:
>
>
>>Er, pray tell, how is this different from storing cleartext passwords
>>on the server, as we're doing now? If client and server both start
>>with the same hash, it's as if the hash were the cleartext password.
>>
>>
>
>The benefit is that if the hash gets compromised, at least the
>person's real (plaintext) password isn't revealed -- so if they're
>using that same password for other systems, then at least those
>systems have not been compromised.
>
>
Ah, good point.
Should we then store partial HMAC results in the svnserve auth file,
then? I think it wouldn't require any client changes, taken by itself.
We could of course modify the client to store those same partial results
in the auth cache, and it wouldn't affect the server. Nice. :-)
-- Brane
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Nov 15 19:27:36 2004