There's still the fact that pserver saves a file containing a very weakly
encrypted form of the user's password. Since users tend to use the same
password for different systems, these systems can be easily compromised.
Noel
[EMAIL PROTECTED] on 2000.06.10 19:08:12
To: [EMAIL PROTECTED]
cc: [EMAIL PROTECTED]
Subject: Re: SRP implementation in CVS
>>>>> "NLY" == Noel L Yap <[EMAIL PROTECTED]> writes:
NLY> Yes, I should've been more specific as to what part of CVS would be
NLY> affected. To clarify the proposal, "cvs login" would be changed to
NLY> use the SRP protocol.
no. SSL is used to assure that yes, client.developer.com talks to yes,
cvs.megacorp.com, and does it securely. cvs-sslserver sets up SSL
connection with cvs-client. Then the password goes over the encrypted wire
and authentication module on server side fires up. Upon successful
authentication "cvs pserver" starts communicating with cvs client.
NLY> I'm starting to think this would bloat CVS
NLY> since it would introduce some encryption algorithms.
No, cvs-nserver scheme will just require to write cvs-sslserver (separate
binary) and SSL hooks in client (I've seen SSL support in fetchmail,
sendmail and qmail and it is not bloated, if you fear of it).
dash dash tragedy
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.
