On 12/17/09 9:10 AM, Simon Josefsson wrote: > Peter Saint-Andre <stpe...@stpeter.im> writes: > >> On 12/17/09 6:47 AM, Kurt Zeilenga wrote: >>> On Dec 17, 2009, at 5:35 AM, Simon Josefsson wrote: >>> >>>> If you don't store the hashed password for SCRAM, you need to burn >>>> CPU time for every login to derive the SCRAM hash keys. That >>>> doesn't scale well. >>> If you ONLY store the hash keys, you limit which password-based >>> mechanisms can be used. That might be okay in small enterprise >>> deployments, but seems quite problematic for large (internet scale) >>> service providers. >> Agreed. That's the main reason we won't deploy hashed-only on the >> backend plus SCRAM-only on the wire at jabber.org. > > So will you 1) not support SCRAM at all, or 2) derive the hash keys from > the plaintext passwords during authentication, or 3) cache the derived > hash keys for a user?
I'm not sure yet. Definitely not #1, probably #2, maybe #3. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________