On Wed, Jan 6, 2010 at 3:25 AM, Chris Anderson <[email protected]> wrote: > On Tue, Jan 5, 2010 at 10:50 AM, Chris Anderson <[email protected]> wrote: >> >> I'd be happy to see the users db design document ported to erlang, so >> we can use erlang's bcrypt (assuming license is ok). > > One problem here is I think that we currently ship with the native > query server disabled. We'd need to add this to default.ini to make > this stuff ship with CouchDB: > > [native_query_servers] > erlang={couch_native_process, start_link, []} > > I'm wary about making this change because native query servers aren't > as sandboxed as the couchjs query server. > > So... I'm lead to think of an http api: > > POST /_bcrypt > "json clearstring" > > response: > { > "crypted" : "sdafkjhskasdf/sdd", > "salt" : "foo" > } > > This smells. Crypto should run in the browser. I haven't found a > JavaScript bcrypt yet. > > The sane alternative seems to be to special-case the user's-db _design > document somehow, so it can be in Erlang even if native query servers > are not enabled. After all, it is trusted Erlang code that ships with > the package. > > I don't think I'll let our still using salted sha1 keep me from > merging to trunk. After all, it's what we're using now so this > definitely isn't a step backwards. > > Chris > > -- There is a blowfish encryption implementation available in javascript. doesn't bcrypt stand for "blowfish crypt" ? http://www.openbsd.org/cgi-bin/man.cgi?query=bcrypt&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
fro where it has been created. - benoît
