ietf-nntp Section 11.5 - NEWNEWS
Andrew Gierth
andrew at erlenstar.demon.co.uk
Tue Jul 25 10:54:26 PDT 2000
>>>>> "Charles" == Charles Lindsey <chl at clw.cs.man.ac.uk> writes:
>> 2) the auth draft specified that SASL and the DIGEST-MD5 scheme
>> were MUST requirements of any implementation using auth. While the
>> desire to avoid plaintext passwords is all well and good, I for
>> one cannot implement any scheme in which the user-entered password
>> is not recoverable in plaintext at the server end (I have seen no
>> SASL scheme that allows this, though it is theoretically possible
>> using public-key encryption).
Charles> Why not? The CHAP protocol in PPP works fine without the
Charles> user-entered password being recovered at the server (yes,
Charles> the server needs to know it, or some hash of it, at the time
Charles> the user registers for service).
Because I don't _have_ the passwords, or precomputed hashes of them,
available at the server. In fact I don't even have the usernames; all
I have is a system to associate username patterns with remote
authentication methods (which are not under my control).
--
Andrew.
More information about the ietf-nntp
mailing list