Hi there,

Shane Hathaway wrote:

> We should really be using the SSHA standard (as defined by LDAP) as a 
> minimum.  SSHA was the default in Zope 2, but someone forgot to bring 
> this code over to Zope 3.
> http://svn.zope.org/Zope/trunk/lib/python/AccessControl/AuthEncoding.py?rev=94737&view=markup

Is there some recent documentation about SSHA available? The netscape
links seems to be down.

The code looks quite similar to what is done in the current SHA1
password manager, but if there is a standard we could follow, we might
should do that and recommend people to switch.

SSHA seems cryptography-wise to be as strong or weak as the used hash
algorithm (which here was SHA-1), so I wonder whether you would like to
replace the standard SHA1 manager by an SSHA manager or vote for
providing a new one.

> A SHA-256 version of the algorithm would also be useful since 
> cryptography experts expect SHA-1 to be vulnerable soon.

Yes, indeed. All that SHA-2 stuff (SHA-224, SHA-256, SHA384 and SHA-512)
might be the choice for future. Unfortunately we have no out-of-the-box
support for these in Python 2.4. They were introduced in Python 2.5

Best regards,


Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to