On Thursday, August 20, 2015, Alex Peshkoff <peshk...@mail.ru> wrote:
> > > And what about the vault at the client side containing long randomly > generated password for SRP - this is definitely a way to make things not > as bad as they can when verifiers are compromised. I suppose to use this > suggestion in post-3 release of firebird. The problem I see now is that > it's very much client-dependent, i.e. how can server be sure that when > password is changed client did send to it really high-quality random > password? > > > You can't "make" users do anything they don't want to do or they won't be > users anymore. What you can do is make it easier to do the right thing > than not. Great thought should be given to making a vault easier to use > than not using it, maybe by dumping other connection/session parameters for > defaults. I'm think about it, but the crypto is likely to be the easiest > part. Anyone have any good ideas of how to handle key management for on-disk encryption? The ChaCha20 scheme that is both fast and allows direct access to a cypher stream seems ideal for an algorithm, but key management is critical. A server side vault? -- Jim Starkey
------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
