[EMAIL PROTECTED] on 2000.07.24 17:33:23
>> Yes, I still think authentication stuff should be left out of CVS. Instead
>> something pluggable should exist.
>>
>> For example, if instead of the password authentication protocol you suggest,
I
>> wanted to use SRP (so that the password isn't sent over the wire at all) or
SSH,
>> I'd be dead in the water.
>
>I can't really object to a pluggable solution which implements your desired
>functionality, but I would not like to see such an insecure mechanism become
part
>of the main CVS executable or be easy for a user to apply without being aware
of
>the possible consequences and drawbacks.
There might've been some misunderstanding here. After rereading my post, I
noticed I wasn't so clear about my description of SRP. SRP does password
authentication without ever sending the password (either in the clear or
encrypted) over the wire. Instead, it uses AKE (assymetric key exchange) to
authenticate.
If this wasn't a source of misunderstand, can you explain your point "I would
not like to see such an insecure mechanism become part of the main CVS
executable...".
Noel
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.
