hi!
here are some thoughts about a possible future authentication scheme:
* all passwords are stored as hashes only.
* authentication happens via challenge/response so that no
plaintext-equivalent data travels across the network. this assumes some
client-side javascript code to compute the response (afaik, http digest
is no real alternative because it uses plaintext-equivalent hashes).
* the challenge changes all the time, so that replay attacks don't work.
* additionally, we come up with some neat documentation about how to
enforce ssl connections for authoring and live ac login.
if the current authentication code is used consistently throughout, this
should not be too hard, but i have not read it yet.
what do you think?
jörn
--
jörn nettingsmeier
home://germany/45128 essen/lortzingstr. 11/
http://spunk.dnsalias.org
phone://+49/201/491621
if you are a free (as in "free speech") software developer
and you happen to be travelling near my home, drop me a line
and come round for a free (as in "free beer") beer. :-D
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
