-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daryl,
On 10/30/2010 5:11 PM, Darryl Lewis wrote: > That's why we encrypt passwords in unix, or haven't you looked at > etc/passwd lately? Are you going to tell me that is complete > nonsense? The credentialing mechanism is the keyboard and the user's fingers, not a file on the filesystem. What you're suggesting here is that /etc/passwd is the same as conf/server.xml when in reality /etc/passwd is analogous to the password database maintained by the db. > According to your 'argument' that is 'security by obscurity'. You > better break that to the GNU crowd gently. The "GNU crowd" did not develop the /etc/passwd standard. > Having a username and password in clear text allows another account > to be compromised. Yes, it does. Nobody is arguing that. What we're saying is that, given these requirements, security is not possible. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzO1H8ACgkQ9CaO5/Lv0PBNGgCeNh8ztnnpdMIh1M6ctUH3hld+ KM0AnAnQ9myujfrFPba8RcmD85OcYvkA =JV6U -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org