Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 9 Jul 1999 01:29:10 +0930 (CST)
From:      Kris Kennaway <kkennawa@physics.adelaide.edu.au>
To:        Eivind Eklund <eivind@freebsd.org>
Cc:        Peter Wemm <peter@netplex.com.au>, security@freebsd.org
Subject:   Re: Improved libcrypt ready for testing
Message-ID:  <Pine.OSF.4.10.9907090119230.27376-100000@bragg>
In-Reply-To: <19990708174622.B50609@bitbox.follo.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 8 Jul 1999, Eivind Eklund wrote:

> > As an interim measure, this could be used as just another hash
> > algorithm like any other which is queried by cleartext passwords,
> > but obviously you wouldn't want to be querying some services using
> > SRP and others using the plaintext of the same password.
> 
> I disagree.  In my opinion, you would obviously want to - to give a
> simple example, I'm willing to type my plaintext password at a login
> prompt, but I'm not willing to transfer it in the clear using POP3.

I was referring to the case of having two remote services, one of which is
accessed using the plaintext password using the SRP hash as a traditional
password hash on the server (e.g., a non-SRP'ified POP3 client), and one which
has a SRP-speaking client and uses the full SRP protocol, but the same
password (e.g SRP'ified telnet).

SRP only has benefits if you use it exclusively for a given account over the
network.

Kris

-----
"Never criticize anybody until you have walked a mile in their shoes,
because by that time you will be a mile away and have their shoes."
    -- Unknown



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.4.10.9907090119230.27376-100000>