[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] lisp/server.el: Introduction of server-auth-key variable

From: Juanma Barranquero
Subject: Re: [PATCH] lisp/server.el: Introduction of server-auth-key variable
Date: Sun, 1 May 2011 01:59:25 +0200

2011/5/1 Michal Nazarewicz <address@hidden>:

> Depending on how paranoid are we, MD5 could feel too weak though.
> (Also, one could wish for HMAC.)

I am not feeling particularly paranoid just now, seeing as we've been
using a cleartext authentication key for the past few years...

> Actually, server would have to generate the nonce.  Otherwise, the
> authentication scheme would be prone to replay attacks and would really
> defy the purpose of nonce.

OK, I in fact prefer to generate the nonce in elisp.

> That would still break backward compatibility, wouldn't it?  The old
> servers would not accept this command anyway.  Unless server would issue
> it to client just after making connection.  From what I see, the old
> clients would "only" print error message.

Yeah, but a failed -auth closes the connection and deletes the
process, while an unknown command just issues an error message. One
way or another, I don't think we can avoid the error message on the
emacsclient side.

> In the worst case, the client could first try the new authenticating
> scheme and on error reconnect with the old scheme.

Yes, but as the connection is closed, that adds a bit of complexity to
emacsclient that I'd like to avoid if possible.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]