[jdev] SASL (again)
Jonathan Dickinson
jonathan.dickinson at k2.com
Wed Apr 15 07:52:13 CDT 2009
Hi All,
RFC 4616 implies that it is possible to store a digest for CRAM-MD5 in the database (just above 3. Pseudo-Code). From what I can tell you need to store a plain-text password (at best the XORed passwords, which is pointless).
A CRAM digest is created as follows:
MD5(
(K XOR opad),
MD5(
(K XOR ipad),
timestamp
)
)
Where 'timestamp' is variant ("<" num "." num "@" domain ">"). Am I missing some mathematical nuance, or is RFC 4616 misleading?
Jonathan
More information about the JDev
mailing list