> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.Org]
> Sent: Sunday, November 21, 1999 4:48 AM
> Which means that the server cannot precomute and store A1,
> it must store the clear text password.
Regardless of authzid, it can't precompute A1 because the computation contains per-connection nonces.
> If it stores the
> clear text password and the storage is cracked, the real
> clear text password is exposed.
No. It can store
H( { username-value, ":", realm-value, ":", passwd }
which is what was intended to be precomputed, not A1.
>
> >it does not need to be canonicalized.
>
> In needs to be canonicalized to allow servers to avoid
> non clear text storage.
As shown above, that's not correct.
Paul