[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Richard Dobson richard at dobson-i.net
Tue May 27 23:15:40 UTC 2003


> > That is true.  But you are sending only a variation with no challenge
> > posed from the server.  So, anyone with a packet sniffer can capture
> > the  SHA1(password-plaintext) as it is transmitted.  This includes
> > your friendly sysadmin who you wish you could trust.  The sniffed
> > hashed password is all it takes for another client to duplicate the
> > same connection - they do not need to know the original password.
>
> Agreed. I'm not trying to solve the provisioning problem, however, as
> noted in my previous 3,308 emails. edigest provides NO advantages to
> digest when it comes to registration -- however it also does not
> provide any DISadvantages.

Except the time and effort to implement, if it provides no tangable benefit
over digest as you say then whats the point of all of this?

Richard




More information about the Standards mailing list