- From: Goetz Bock <bock@blacknet.de>
- Date: Sun, 17 Nov 2002 21:59:01 +0100
- To: www-forms@w3.org
On Sun, Nov 17 '02 at 12:35, John Keiser wrote: > I think the bottom line here is, MD5 is not enough but we need an MD5 > function so that we can hash the password so that it will match the one > in the database before doing another, more secure hash based on > server-supplied text, like HMAC (thanks John). Just to tel you again: using MD5 on the password will not gain you anything. MD5ing a password to match it against an MD5-hash stored in the database is *WORSE* than sending the plaintext password (It's worse because it gives a false sence of security). And using HMAC wont help either. Face it. youre not going to add ANYTHING to html anymore. html has been deploied and it's impossible to fix anything, now or in the future. OTOH if youre going to use xhtml (or xforms) than you can just stop. All you need it there. Pick from: ssl/tsl, xml-signatrue, xml-encryption. They all work with XML data, are designed by people who spend some time thinking about what they do (at last so I hope) and are way better than any quick fix anyone will come forth within a couple of emails. OTOH why bother about this at all. Thanks to the US, and TCPA we will get all security/authentication we never realy wanted within the next few years. -- Goetz Bock (c) 2002 as blacknet.de - Munich - Germany /"\ IT Consultant GNU FDL 1.1 secure mobile Linux everNETting \ / X ASCII Ribbon Campaign against HTML email & microsoft attachments / \
Received on Sunday, 17 November 2002 15:59:37 UTC