-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Malthe Borch wrote:
> 2009/5/12 Paul Johnston <p...@pajhome.org.uk>:
>> I am going to have a go at adding a new authentication method to
>> repoze.who. It's like the standard forms authentication, but uses
>> JavaScript hashing to protect the password as it is transmitted.
> 
> Excellent; there's been talking on this list previously about such a 
> mechanism.
> 
>> I know many people are using my scripts, so I think this would be a
>> good feature for repoze.who. I've not used repoze.who so far, so lets
>> see how I get on. If anyone would like to lend a hand, just let me
>> know.
> 
> Is it correct to assume that if both the form where users originally
> provide their desired password and the login form both use your
> script, then nothing needs to be done on the server-side?

I think the server has to be configured to store the passwords generated
from the JS hash library "in the clear", and to use the "clear_check"
checker (re-hashing is not useful).


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tsea...@palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKCVxY+gerLs4ltQ4RAkfjAJwOX6pohN1Qwf9phBd6HEMAXYxBrgCg0QhL
5+CeR5dA2N8cUHUeex7roWM=
=J5K3
-----END PGP SIGNATURE-----
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

Reply via email to