Peter Saint-Andre <[email protected]> writes: > On 12/17/09 6:47 AM, Kurt Zeilenga wrote: >> On Dec 17, 2009, at 5:35 AM, Simon Josefsson wrote: >> >>> If you don't store the hashed password for SCRAM, you need to burn >>> CPU time for every login to derive the SCRAM hash keys. That >>> doesn't scale well. >> >> If you ONLY store the hash keys, you limit which password-based >> mechanisms can be used. That might be okay in small enterprise >> deployments, but seems quite problematic for large (internet scale) >> service providers. > > Agreed. That's the main reason we won't deploy hashed-only on the > backend plus SCRAM-only on the wire at jabber.org.
So will you 1) not support SCRAM at all, or 2) derive the hash keys from the plaintext passwords during authentication, or 3) cache the derived hash keys for a user? /Simon _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
