On Wed Aug 20 10:38:02 2008, Jonathan Dickinson wrote:
I don't know how secure that is though.
You're:
a) Forcing the client to store the account password locally in the
clear. Neither SCRAM nor DIGEST-MD5 require this; they can store an
opaque plaintext equivalent which limits the exposure of the actual
password.
b) Allowing a server to obtain the private key, since if the private
key is protected using the salt and password, and the server knows
the salt, it's pretty trivial for the server to find the password -
most probably because the user has explicitly told it the password at
some point.
Dave.
--
Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
