- From: <hallam@w3.org>
- Date: Mon, 29 Apr 96 14:52:13 -0400
- To: Paul Leach <paulle@microsoft.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, hallam@w3.org
>Not really. The shared secret is the password, not its hash. Giving >H(A1) to a server is just a way a group of servers can be given the >password without needing to have them all have the password in >plaintext. How they get it betwen themselves is outside the scope of the >spec. Actually I was pretty keen on the shared secret being the hash. The idea being that the server need not ever know the password itself. This would be secure enough for many applications. The additional hassle probably isn't worthwhile at this stage. >In your scheme, servers that only want to support SHA would have to have >an implementation of MD5 available -- and they might not have a license >from RSA DSI. Actually the license terms are merely that you call it RSA-MD5 and tell pe0op,e that you use it, and those are only if you use Ron's code. O.K. so things look pretty much alright provided we put in a note to mention that SHA is preferred over MD5. Phill
Received on Monday, 29 April 1996 11:56:27 UTC