hi!
here are some thoughts about a possible future authentication scheme:
* all passwords are stored as hashes only.
* authentication happens via challenge/response so that no
plaintext-equivalent data travels across the network. this assumes some
client-side javascript code to compute the response (afaik, http digest
is no real alternative because it uses plaintext-equivalent hashes).
* the challenge changes all the time, so that replay attacks don't work.
* additionally, we come up with some neat documentation about how to
enforce ssl connections for authoring and live ac login.
if the current authentication code is used consistently throughout, this
should not be too hard, but i have not read it yet.
what do you think?
jörn
--
"Open source takes the bullshit out of software."
- Charles Ferguson on TechnologyReview.com
--
Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Standort Duisburg
Mail: [EMAIL PROTECTED], Telefon: 0203/379-2736
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
