Date: Fri, 9 Jul 1999 01:29:10 +0930 (CST) From: Kris Kennaway <kkennawa@physics.adelaide.edu.au> To: Eivind Eklund <eivind@freebsd.org> Cc: Peter Wemm <peter@netplex.com.au>, security@freebsd.org Subject: Re: Improved libcrypt ready for testing Message-ID: <Pine.OSF.4.10.9907090119230.27376-100000@bragg> In-Reply-To: <19990708174622.B50609@bitbox.follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 8 Jul 1999, Eivind Eklund wrote:
> > As an interim measure, this could be used as just another hash
> > algorithm like any other which is queried by cleartext passwords,
> > but obviously you wouldn't want to be querying some services using
> > SRP and others using the plaintext of the same password.
>
> I disagree. In my opinion, you would obviously want to - to give a
> simple example, I'm willing to type my plaintext password at a login
> prompt, but I'm not willing to transfer it in the clear using POP3.
I was referring to the case of having two remote services, one of which is
accessed using the plaintext password using the SRP hash as a traditional
password hash on the server (e.g., a non-SRP'ified POP3 client), and one which
has a SRP-speaking client and uses the full SRP protocol, but the same
password (e.g SRP'ified telnet).
SRP only has benefits if you use it exclusively for a given account over the
network.
Kris
-----
"Never criticize anybody until you have walked a mile in their shoes,
because by that time you will be a mile away and have their shoes."
-- Unknown
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.4.10.9907090119230.27376-100000>