[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Chris Mullins cmullins at winfessor.com
Tue May 27 20:16:18 UTC 2003


[ EDigest ] 
>>  3) Will break all old clients, libraries, and servers.

> Using <edigest> will break nothing.

As I think about it, that's not true.

Let's say we have EDigest, and the user Registers on the server. The
client sends across the password hash, and the server stores that hash.
This means the server DOES NOT have a copy of the users original, plain
text, password. 

Now I boot up Exodus, and try to log in. During the auth-disco process
(JEP 78) about which protocols are supported, I send back
<PlainText/><Digest/><EDigest/>, and Exodus picks the one that it thinks
is best - Digest. (Because it doesn't know about EDigest). 

Exodus will then send the password+StreamID hash across, expecting the
server to be able to log the user in. But because the server doesn't
have the plain text password for this user, it is unable to perform the
Digest computation, and the user cannot log in. 

This also means plain-text auth would fail, which leaves all the "older"
client no valid means to log the user in. 

-- 
Chris Mullins




More information about the Standards mailing list