-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian,
> I'm fumbling about seeking the hardness knob that controls my > thinking ... I know its there somewhere ... :) Me, too. You can never be too paranoid about authentication code. > I'm learning from the discussion on this list that DIGEST is not very > popular. However, it is a published algorithm and therefore has a bit more > credibility than one I cooked up. It's not very popular for two reasons: 1. Use of MD5 2. Spotty browser support (due to spotty server support) Basically, it was a good idea that wasn't well-implemented, so nobody ever really bothered to fully support it. Most OSS code works just fine - -- because someone like you was sufficiently motivated to make it work and, well, support the standard. The standard sucks, though :( Note that DIGEST AUTH does use nonce values during communication, even if you can't really use them as permanent salt values. > One thing I'm slightly nervous of is reuse of the SSL session id. > The SSL spec says the server gets to choose the ID for an SSL session > so I need to know that the server doesn't reuse them in a way that > might compromise this approach. OpenSSH states that it uses a random > number as wide as the protocol allows. Haven't found a statement > about what JSSE does and haven't had an answer yet to my question to > the forum. I expect its fine - it would just be nice to have it in > writing. You could use the APR connector (and you probably should, if Tomcat will be terminating the SSL connection, because it generally performs better than the pure Java I/O connectors) and then you'll be using OpenSSL under the hood: problem solved. :) Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyPgi4ACgkQ9CaO5/Lv0PAyEACgu+Yvmcdros13eKsr/9Ugu22B tQ4AoL1ZXr34rTCbaW8ah8Wbs5uilcrh =NBR/ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
