directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny" <elecha...@gmail.com>
Subject Re: [Authenticator] Question regarding encrypted passwords
Date Mon, 12 Mar 2007 11:23:01 GMT
Yeah, 1 is the way to go. Forget about 2, it creates a security breach.

For roadmap, we use Jira, and you can vote for using it. The wheel already
exists ;)

On 3/10/07, Ole Ersoy <ole.ersoy@gmail.com> wrote:
>
> Short answer:
>
> I think 1
>
> Longer answer/example:
>
> Tomcat Authentication
>
> User requests password page and provides credentials.
>
> Browser encrypts post and sends it.
>
> Tomcat ssl decrypts.
>
> Authentication is then performed on the
> authentication store (ADS possibly).
>
> So I think the network usually takes care of securing itself, when needed.
>
> I would probably leave 2 as "possible feature" and post it on our roadmap
> so that users can vote on it.
>
> I'll try to create a "Dell IdeaStorm" page for our road map later so that
> features can be voted for.
>
> Cheers,
> - Ole
>
>
>
>
>
>
> Emmanuel Lecharny wrote:
> > Hi guys,
> >
> > I have a doubt, may be you have a clear vision about this point :
> >
> > is it the server responsability to compare the user's password against
> > an encrypted form or should the client encrypt the password before
> > sending it to the server ?
> >
> > I mean, we can have one of those two possibilities :
> > 1) [client] --(clear password)--> <network> --> [server] --> encrypt
> > the password and compares it to the stored encrypted password
> > or
> > 2) [client] --(encrypt password)--> <network> [server] --> compares
> > the encrypted password and compares it to the stored encrypted password
> >
> > ?
> >
> > Emmanuel
> >
> > PS : we have solution 1 currently implemented. Is it correct ?
> >
>
>


-- 
Cordialement,
Emmanuel L├ęcharny
www.iktek.com

Mime
View raw message