[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAPDN and AuthMeth/DIGEST-MD5



Title: RE: LDAPDN and AuthMeth/DIGEST-MD5


> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.Org]
> Sent: Sunday, November 21, 1999 4:48 AM

> Which means that the server cannot precomute and store A1,
> it must store the clear text password.

Regardless of authzid, it can't precompute A1 because the computation contains per-connection nonces.

> If it stores the
> clear text password and the storage is cracked, the real
> clear text password is exposed.

No. It can store
        H( { username-value, ":", realm-value, ":", passwd }
which is what was intended to be precomputed, not A1.

>
> >it does not need to be canonicalized.
>
> In needs to be canonicalized to allow servers to avoid
> non clear text storage.

As shown above, that's not correct.

Paul