rob.page at digicool
Feb 9, 2000, 9:47 PM
> So, if cleartext is less trustworthy because it's sniffable, it
RE: [Zope-PTK] PROPOSAL: A Confidence Mechanism in User Role Mana gement
> follows that using cleartext once compromises the secure
> channels as well, and so they should be no more trusted than cleartext
> the password's been changed. Oh. But, if you are now
> of the remote user, you can't let them change the password so as to
> again! D'oh. Seems like a Catch 22, I must not be getting something.
This is a valid point. This is why many sites have you login over SSL.
Perhaps they assign you an expiring cookie which you can carry around
and over unsecure channels. Ideally, password specification and
password presentation are all done over secure comm - then you don't
have to discount the confidence in the password as an accurate