[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GNU Crypto] Passwords Immutable?
From: |
Casey Marshall |
Subject: |
Re: [GNU Crypto] Passwords Immutable? |
Date: |
Mon, 03 May 2004 20:33:12 -0700 |
User-agent: |
Gnus/5.1002 (Gnus v5.10.2) Emacs/21.2 (gnu/linux) |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Bryan" == Bryan Hoover <address@hidden> writes:
Bryan> Casey Marshall wrote:
>> - It's our convention to not use redundant modifiers and
>> declarations; this includes `throws' clauses for unchecked
>> exceptions (although, they should be described in a address@hidden' entry
>> in the javadocs, if it is a public or protected method).
Bryan> Also noticed 'final' was removed from Password method "input
Bryan> only" parameters -- this seems incongruent with the style
Bryan> guidelines -- was intentional?
Nope. I removed them by mistake, shuffling files around.
>> - I put Password into the package gnu.crypto.auth. I'm certain that
>> this class will be useful in other places. The next thing to do is
>> replace char arrays with Password wherever else appropriate.
Bryan> There's a little "gottcha" relative to PlainClient, the plain
Bryan> text password implementation. Most of the work is done in
Bryan> EvaluateChallenge (id, and password init, as well as
Bryan> evaluation). All user data is appended to a single
Bryan> StringBuffer, converted to String, and returned as a utf-8 byte
Bryan> array using String's getBytes.
Bryan> Couple things come to mind -- rework, and generalize the
Bryan> Password class idea, to something along the lines of a
Bryan> "SecureData" class, and add an append method to it. Or could
Bryan> just add an append method to the Password class. Only
Bryan> difference between the two really, is metaphorical.
`append' would break the contract of immutability, and I think making
them immutable, but destroyable, is best.
Bryan> Could handwave, with the observation that plain text ain't any
Bryan> too secure anyway :), but CramMD5Client does something similar
Bryan> with String data, where again, an append method would take care
Bryan> of it.
There really isn't much sense is worrying about PLAIN. Probably the
best thing to do is use CharEncoder or OutputStreamWriter and
ByteArrayOutputStream.
- --
Casey Marshall || address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.7 <http://mailcrypt.sourceforge.net/>
iD8DBQFAlw7tgAuWMgRGsWsRAkfmAKCHUVEku/35BoSZQLMRDKdbAXL5OwCdHUO3
aZE15/By4Va4o1meRpjiBOg=
=jub9
-----END PGP SIGNATURE-----
- Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/05/01
- Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/05/03
- Re: [GNU Crypto] Passwords Immutable?,
Casey Marshall <=
- Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/05/04
- Re: [GNU Crypto] Passwords Immutable?, Casey Marshall, 2004/05/04
- Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/05/09
- Re: [GNU Crypto] Passwords Immutable?, Casey Marshall, 2004/05/09
- Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/05/09