[jadmin] Re: jabberd14 'crypt' password storage in postgressql
Thomas Charron
twaffle at gmail.com
Thu Jun 14 09:40:49 CDT 2007
On 6/14/07, Simon Wilkinson <simon at sxw.org.uk> wrote:
> On 14 Jun 2007, at 13:12, Oliver Block wrote:
> > Am Donnerstag, 14. Juni 2007 09:54 schrieb Simon Wilkinson:
> >> I think you've got a serious misunderstanding of how modern
> >> authentication protocols work.
> > What do you mean in particular?
> The fundamental fact is that for the vast majority of today's
> authentication technologies, including ones that are mandatory to
> implement in XMPP, the server will require access to the plaintext
> version of the secret. I'd highly recommend going back and reading
> Norman Ramussen's reply again, which goes into these issues in great
> detail. If you're still unclear, then Bruce Schneier's "Applied
> Cryptography" is a highly recommended read.
I have to slightly disagree here. MANY systems will have access to
the password in a processed form, and work off of that. This provides
a one way encryption of the password itself, which allows you to
present a secret, but not require that secret to be stored, merely the
result of an operation ON the secret.
--
-- Thomas
More information about the JAdmin
mailing list