Hi there, Shane Hathaway wrote:
> We should really be using the SSHA standard (as defined by LDAP) as a > minimum. SSHA was the default in Zope 2, but someone forgot to bring > this code over to Zope 3. > > http://svn.zope.org/Zope/trunk/lib/python/AccessControl/AuthEncoding.py?rev=94737&view=markup Is there some recent documentation about SSHA available? The netscape links seems to be down. The code looks quite similar to what is done in the current SHA1 password manager, but if there is a standard we could follow, we might should do that and recommend people to switch. SSHA seems cryptography-wise to be as strong or weak as the used hash algorithm (which here was SHA-1), so I wonder whether you would like to replace the standard SHA1 manager by an SSHA manager or vote for providing a new one. > A SHA-256 version of the algorithm would also be useful since > cryptography experts expect SHA-1 to be vulnerable soon. Yes, indeed. All that SHA-2 stuff (SHA-224, SHA-256, SHA384 and SHA-512) might be the choice for future. Unfortunately we have no out-of-the-box support for these in Python 2.4. They were introduced in Python 2.5 IIRC. Best regards, -- Uli
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
_______________________________________________ Zope-Dev maillist - [email protected] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
