[geeklog-devel] Atom publishing

Tony Bibbs tony at tonybibbs.com
Thu May 29 16:09:37 EDT 2008


That said, my original question is still valid.  If we stored a password encrypted some 2-way cipher in the DB you could

1) get encrypted PW from DB
2) decrypt using cipher
3) compare the pw from #2 against the WSSE request using the sha of WSSE's nonce, timestamp and the pw

Ideas is that pw could be optionally stored for only web service users and would be different from the normal gl password.  I would also assume this could optionally require submission approval.

--Tony

----- Original Message ----
From: Dirk Haun <dirk at haun-online.de>
To: geeklog-devel <geeklog-devel at lists.geeklog.net>
Sent: Thursday, May 29, 2008 1:48:39 PM
Subject: Re: [geeklog-devel] Atom publishing

(sigh, this was supposed to go to the list)

Damien Hodgkin wrote:

>1. create a "nonce"
(snip)

There is actually a working WSSE implementation in system/lib-
webservices.php. It's commented out, though. But if you had the user's
unencrypted password, you could use it.

I tested it with a hack where I simply used the password hash as my
"password" on the other end. That's very insecure of course and I only
used it on a test setup. None of this went into Geeklog's code.

bye, Dirk


-- 
http://www.haun-online.de/accu/



_______________________________________________
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
http://eight.pairlist.net/mailman/listinfo/geeklog-devel






More information about the geeklog-devel mailing list