Op 8 okt. 2015 16:29 schreef "Brandon Allbery" <[email protected]>: > > > On Thu, Oct 8, 2015 at 5:57 AM, Edward Ned Harvey (lopser) < [email protected]> wrote: >> >> then repeat what I said. Yes, the KDC has the password. > > > No, you claimed (by your wording) the KDC was *sent* the password. It is not sent the password. It has the password, the user proves they have the password by encrypting something else with that password. > > Come back when you understand crypto.
For what it's worth; I really love this thread and I'm positively surprised how Ned manages to stay respectful. Although it's mostly theoretical for me, I do start to view Web-passwords differently then before. I never thought about rogue employees at "trusted" sites. I'm not yet convinced about cbcrypt, but it does sound as a big step in the right direction, so keep up the good work! Native browser integration would be great, of course, but I could see plug ins as useful alternative for the time being. Though the last comment about understanding crypto is not entirely fair; the KDC has necessarily access to the plaintext password. Even if wrapped in multiple layers of cryptography, the result is the same; you still have to trust something 'outside' with your password, which brings us back to the start of this thread... In theory. ;) Mvg, Guus
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
