On Thu, 25 May 2006, Dave Cridland wrote: > > Consider the case where the server is compromised.
A client compromise is much more likely :-) > If you use DIGEST-MD5, then the attacker only has a plaintext equivalent good > enough to authenticate with the compromised server, and cannot obtain anything > better from the authentication process on the wire - if the server is > compromised, therefore, you've lost privacy, but not your password. AFAIK most DIGEST-MD5 implementations keep bare passwords on the server, so a server compromise would expose them all. Tony. -- f.a.n.finch <[EMAIL PROTECTED]> http://dotat.at/ DENMARK STRAIT: NORTH OR NORTHWEST 4 OR 5, INCREASING 6 FOR A TIME IN EAST, OCCASIONALLY VARIABLE 4 IN WEST. LIGHT ICING IN EAST, TEMPERATURES ZERO TO MS02.
