On Tue, Aug 25, 2009 at 8:18 AM, Kevin Smith <[email protected]> wrote:
> > 4. Do you have any security concerns related to this specification?
>
> Only in as much as it's a great big file with everyone's passwords in.
Sure there are little servers supporting it and there doesn't seem to be
huge demand for it but maybe one should add support for other encodings for
the password. Currently it seems you have to use plaintext there.
For example one could also allow storage of the password via two values(one
for UTF8 and one for ISO 8859-1) of
H( { username-value, ":", realm-value, ":", passwd } ) as it is used in
Digest-MD5 mechanism.
Similar method should be possible for future SCRAM mechanism.
Tobias
