> I think he refers to the client side (the browser) encrypting the password, > shipping that through to the server, and the server decrypting it.
It's hard to imagine what additional security that would provide in addition to SSL/TLS transport security that encrypts the entire form payload including the password. The security characteristics are the same: the client has access to the cleartext password and the server has access to the decryption key to decrypt the ciphertext. You add some new problems like browser support for encryption and symmetric key exchange/management. I would strongly advise against it. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
