site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Hi, Thanks in advance, Robert Nilsson _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... I am currently working on a client-server application where I would like to use the Secure Remote Password protocol (SRP, http://srp.stanford.edu/) for authentication of users as well as obtaining a good key to use for encrypting the rest of the "conversation". This part is not a problem. However, I would like to integrate this with DirectoryService (DS) so that I can authenticate users from (for example) an OD. Now the trouble begins. SRP requires that the server has access to the password either in clear-text or in some other directly derived form (SHA1 hash could be made to work). Hence I've been looking for a way to obtain this from DS or any other means, I've been thinking about creating a new authentication mechanism for SRP but I can't find any documentation about how to do that which might point to it not being supported. I'm just about to give up the SRP idea and use something supported, like CRAM-MD5, but these alternatives are not as attractive considering that there are known security flaws with some of them and they do not generate a good cryptographic key as a by-product either. Obviously my question is if anyone has any experience of doing something similar or has any ideas about how it might be done? This email sent to site_archiver@lists.apple.com