On 7/17/06, Eric Rescorla <[EMAIL PROTECTED]> wrote:
In most such systems, the passwords are stored in the password database as a one-way hash of the password.
Systems that use forms will often do this as well...
IMPLEMENTATION ISSUES I'm given to understand that there are ways in which the Digest spec is unclear and that implementation and interoperability is fairly spotty.
...which makes it impossible to use the existing auth database with Digest. Digest's more extensive protection options are basically unimplemented. Digest is extremely underspecified wrt to encoding of non-ascii characters. Some implementations respect the charset parameter specified in SASL Digest (RFC 2831). Others use the encoding of the page. No one is quite sure what IE does.* Mozilla uses UTF-8 all the time. * <http://www.agileprogrammer.com/eightytwenty/archive/2006/05/04/14280.aspx> The only thing we can reasonably say is Basic+TLS, but that's sort of silly, since many servers and some clients won't implement it. I'd rather skip the collective game of pretend. -- Robert Sayre "I would have written a shorter letter, but I did not have the time."
