[Security] TLS Certificates Verification

Dave Cridland dave at cridland.net
Wed Aug 20 05:06:12 CDT 2008


On Wed Aug 20 10:38:02 2008, Jonathan Dickinson wrote:
> I don't know how secure that is though.

You're:

a) Forcing the client to store the account password locally in the  
clear. Neither SCRAM nor DIGEST-MD5 require this; they can store an  
opaque plaintext equivalent which limits the exposure of the actual  
password.

b) Allowing a server to obtain the private key, since if the private  
key is protected using the salt and password, and the server knows  
the salt, it's pretty trivial for the server to find the password -  
most probably because the user has explicitly told it the password at  
some point.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade


More information about the Security mailing list