Return-Path: 
 <dev-return-7906-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org>
Delivered-To: apmail-couchdb-dev-archive@www.apache.org
Received: (qmail 65343 invoked from network); 6 Jan 2010 06:21:38 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 6 Jan 2010 06:21:38 -0000
Received: (qmail 52025 invoked by uid 500); 6 Jan 2010 06:21:37 -0000
Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org
Received: (qmail 51933 invoked by uid 500); 6 Jan 2010 06:21:37 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 51923 invoked by uid 99); 6 Jan 2010 06:21:37 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Jan 2010 06:21:37 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of bchesneau@gmail.com
 designates 209.85.160.56 as permitted sender)
Received: from [209.85.160.56] (HELO mail-pw0-f56.google.com) (209.85.160.56)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Jan 2010 06:21:27 +0000
Received: by pwi19 with SMTP id 19so11807545pwi.35
        for <dev@couchdb.apache.org>; Tue, 05 Jan 2010 22:21:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:in-reply-to:references
         :date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=gASCNoe6BbtXU3fJtxgLiwUGSMyfqdxSg54fKGC51Vw=;
        b=nAr/4JsA9UMjSwhpmElp7dDFz8NyTpuhVUUPXChRQVCRpZseNtod/YCZJADDnPTBRL
         +ZtPmPTN49CGdw1BjNI4f1Fpvm4wxX44glilYwxkYW02v/W1bPh6tOetz42aQqL1smsi
         H0zF3E0+HlhGNdDEXb5eUfCutOWSpkz4r7UKc=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        b=tcska/wZQo9CDs8BF/wuMWeOPNc3Btl+JsQfs9ldTg/A590ybxJd5x16j/dIsu6JMq
         xQ0wcOJ3K7Z2JYbdT59r+dHPEs4kBb+q9uiQ0Vmv/G0AMeWf0ud57f/mGxrC2Snh1xEo
         z0lU52QADTx1zK4fKiesEL0G2FxB/LVDwzqF0=
MIME-Version: 1.0
Received: by 10.141.108.20 with SMTP id k20mr5388333rvm.156.1262758866787;
	Tue, 05 Jan 2010 22:21:06 -0800 (PST)
In-Reply-To: <e282921e1001051825j119c5569lf81c098b9d4a68a3@mail.gmail.com>
References: <e282921e0912240827t64e37b24l777d6c8f640e972c@mail.gmail.com>
	 <hhtfn8$u2f$1@ger.gmane.org>
	 <e282921e1001041142g3809f5eel59cc2070cb33037b@mail.gmail.com>
	 <41A81121-F352-4EF7-A840-1A5175FF0559@apache.org>
	 <e282921e1001041354k1d6c307djb14d44161768d109@mail.gmail.com>
	 <8D6E5FA3-9215-49D0-8DD7-172FBE9D6ECF@apache.org>
	 <e282921e1001051038l17b35ed7xdfbba2eeb66e56e3@mail.gmail.com>
	 <b7cd8ed11001051045w332b6eaet6346c6bca6b77695@mail.gmail.com>
	 <e282921e1001051050w6f347e09wa873a2dc5b43ae87@mail.gmail.com>
	 <e282921e1001051825j119c5569lf81c098b9d4a68a3@mail.gmail.com>
Date: Wed, 6 Jan 2010 07:21:06 +0100
Message-ID: <b7cd8ed11001052221g25f623a8r45197c002829543b@mail.gmail.com>
Subject: Re: authentication cleanup
From: Benoit Chesneau <bchesneau@gmail.com>
To: dev@couchdb.apache.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Wed, Jan 6, 2010 at 3:25 AM, Chris Anderson <jchris@apache.org> wrote:
> On Tue, Jan 5, 2010 at 10:50 AM, Chris Anderson <jchris@apache.org> wrote=
:
>>
>> I'd be happy to see the users db design document ported to erlang, so
>> we can use erlang's bcrypt (assuming license is ok).
>
> One problem here is I think that we currently ship with the native
> query server disabled. We'd need to add this to default.ini to make
> this stuff ship with CouchDB:
>
> [native_query_servers]
> erlang=3D{couch_native_process, start_link, []}
>
> I'm wary about making this change because native query servers aren't
> as sandboxed as the couchjs query server.
>
> So... I'm lead to think of an http api:
>
> POST /_bcrypt
> "json clearstring"
>
> response:
> {
> =A0"crypted" : "sdafkjhskasdf/sdd",
> =A0"salt" : "foo"
> }
>
> This smells. Crypto should run in the browser. I haven't found a
> JavaScript bcrypt yet.
>
> The sane alternative seems to be to special-case the user's-db _design
> document somehow, so it can be in Erlang even if native query servers
> are not enabled. After all, it is trusted Erlang code that ships with
> the package.
>
> I don't think I'll let our still using salted sha1 keep me from
> merging to trunk. After all, it's what we're using now so this
> definitely isn't a step backwards.
>
> Chris
>
> --
There is a blowfish encryption implementation available in javascript.
doesn't bcrypt  stand for "blowfish crypt" ?
http://www.openbsd.org/cgi-bin/man.cgi?query=3Dbcrypt&apropos=3D0&sektion=
=3D0&manpath=3DOpenBSD+Current&arch=3Di386&format=3Dhtml

fro where it has been created.

- beno=EEt