directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ole Ersoy <>
Subject Re: [Authenticator] Question regarding encrypted passwords
Date Sat, 10 Mar 2007 22:01:07 GMT
Short answer:

I think 1

Longer answer/example:

Tomcat Authentication

User requests password page and provides credentials.

Browser encrypts post and sends it.

Tomcat ssl decrypts.

Authentication is then performed on the
authentication store (ADS possibly).

So I think the network usually takes care of securing itself, when needed.

I would probably leave 2 as "possible feature" and post it on our roadmap
so that users can vote on it.

I'll try to create a "Dell IdeaStorm" page for our road map later so that
features can be voted for.

- Ole

Emmanuel Lecharny wrote:
> Hi guys,
> I have a doubt, may be you have a clear vision about this point :
> is it the server responsability to compare the user's password against 
> an encrypted form or should the client encrypt the password before 
> sending it to the server ?
> I mean, we can have one of those two possibilities :
> 1) [client] --(clear password)--> <network> --> [server] --> encrypt 
> the password and compares it to the stored encrypted password
> or
> 2) [client] --(encrypt password)--> <network> [server] --> compares 
> the encrypted password and compares it to the stored encrypted password
> ?
> Emmanuel
> PS : we have solution 1 currently implemented. Is it correct ?

View raw message