Menu
▾
▴
Re: [Firebird-devel] crypt plugins
|
From: Thomas M. <tm...@bs...> - 2004-09-21 14:43:20
|
> > Sorry, it simply doesn't work without other changes. I tried to > explain why, may be I expressed my thought not well enough, but I'd > like to see what real problems this change creates, not only common > words. > I wanted to solve one main problem - give users an ability to use such > hashes for passwords that they want. I think my design solves this > particular problem. I don't know, what addtional problems it may raise > for future security design. Moreover, with hash calculation, moved > from client to server, future security review seems easier - for > example, implementation of auth plugins. > > Alex. > The question isn't whether is is good, bad, or indifferent. There are lots of issues surrounding security that are bad in FB. Instead of band aiding it, Jim is proposing that we come up with a strategy to fix it right in FB3. 2.0 is frozen. I am hoping to see the security database disappear in FB3 so security is built into the db file. I am also hoping that all security is supported and can be managed through SQL code. I suggested a long time ago to have a plug in solution for encryption and compression, not of the passwords, but the data going over the wire. So if a plugin architecture is being designed, developed and implemented, it would make sense that it work in both places. I am sure there are other security issues that need to be addressed that I am unfamiliar with (which is why Jim wants an open discussion so more eyes are on the problem). -- Thomas Miller Delphi Client/Server Certified Developer BSS Accounting & Distribution Software BSS Enterprise Accounting FrameWork http://www.bss-software.com http://sourceforge.net/projects/dbexpressplus |
