From owner-freebsd-security Thu Jul 8 8:59:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id 8CA01154AA; Thu, 8 Jul 1999 08:59:15 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id BAA31302; Fri, 9 Jul 1999 01:29:11 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA32198; Fri, 9 Jul 1999 01:29:10 +0930 Date: Fri, 9 Jul 1999 01:29:10 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Eivind Eklund Cc: Peter Wemm , security@freebsd.org Subject: Re: Improved libcrypt ready for testing In-Reply-To: <19990708174622.B50609@bitbox.follo.net> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 8 Jul 1999, Eivind Eklund wrote: > > As an interim measure, this could be used as just another hash > > algorithm like any other which is queried by cleartext passwords, > > but obviously you wouldn't want to be querying some services using > > SRP and others using the plaintext of the same password. > > I disagree. In my opinion, you would obviously want to - to give a > simple example, I'm willing to type my plaintext password at a login > prompt, but I'm not willing to transfer it in the clear using POP3. I was referring to the case of having two remote services, one of which is accessed using the plaintext password using the SRP hash as a traditional password hash on the server (e.g., a non-SRP'ified POP3 client), and one which has a SRP-speaking client and uses the full SRP protocol, but the same password (e.g SRP'ified telnet). SRP only has benefits if you use it exclusively for a given account over the network. Kris ----- "Never criticize anybody until you have walked a mile in their shoes, because by that time you will be a mile away and have their shoes." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message