pbkdf2 is used for password authentication. Password authentication happens when you sends POST request to /_session to obtain Cookie for making further requests being authenticated or when Basic Auth is used. Replication isn't something special, but the way how HTTP client uses CouchDB HTTP API to transfer documents from one database to another preserving conflicts. -- ,,,^..^,,,
On Wed, Feb 11, 2015 at 1:54 AM, jumbo jim <[email protected]> wrote: > Thanks Alexander. > > Can you confirm that pbkdf2 is only used for login and replication ? Could > there be other situations where this is used? > > Quite happy to keep iteration level low for replication. > > > > On Wed, Feb 11, 2015 at 8:44 AM, Alexander Shorin <[email protected]> wrote: > >> The intentions was avoid performance degradation: you may set 10000 as >> specification recommends, but this will significantly slow down >> authentication process and especially replication which currently >> cannot use cookies for auth. While 10 iterations is low, it's still >> better than salted sha1 which was used previously. >> -- >> ,,,^..^,,, >> >> >> On Tue, Feb 10, 2015 at 7:50 AM, jumbo jim <[email protected]> wrote: >> > Hi, >> > >> > I noticed when creating new users in 1.6.1, that only 10 iterations of >> > pbkdf2 is used. >> > >> > I found the following link - >> > >> > https://issues.apache.org/jira/browse/COUCHDB-2066 >> > >> > What "requests" (other than login), go through the pbkdf2 scheme? >> > >> > I would imagine that replicators would not make use of session cookies, >> so >> > therefore pbkdf2 would be used here. However, I am quite happy for the >> > replicator user to have pbkdf2 iterations at 10 as this user contains a >> > (strong) password that I control. >> > >> > I am more concerned with other users set at 10 iterations. Is pbkdf2 used >> > for read/writes even though session cookies are used? >> > >> > What would the reasons be against using 10000 iterations? >> > >> > Thank you. >>
