[Security] TLS Certificates Verification
Dave Cridland
dave at cridland.net
Wed Aug 20 05:06:12 CDT 2008
On Wed Aug 20 10:38:02 2008, Jonathan Dickinson wrote:
> I don't know how secure that is though.
You're:
a) Forcing the client to store the account password locally in the
clear. Neither SCRAM nor DIGEST-MD5 require this; they can store an
opaque plaintext equivalent which limits the exposure of the actual
password.
b) Allowing a server to obtain the private key, since if the private
key is protected using the salt and password, and the server knows
the salt, it's pretty trivial for the server to find the password -
most probably because the user has explicitly told it the password at
some point.
Dave.
--
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Security
mailing list