Peter Koch wrote:
IIRC, the reason for not hiding the password was that fetch-submit should be idempotent, or, to elaborate a bit more, no information should be lost in a fetch-edit-submit cycle. This is especially important in those cases where there's another auth scheme in use besides MD5-PW, so not submitting the respective attribute with the object would actually change the mntner to only use the remaining auth scheme. Any 'workarounds' to me appear a bit like rearranging those deckchairs once again. If MD5 is weak and there's enough concern in the community to get rid of it, let's just do it. But at the same time, let's take the first step first and get the CRYPT-PW deprecation and phase-out plan out of the door.
Not MD5 (CRYPT/SHA/...) is weak, but some sort a people using stupid passwords ;) Also, moving out encrypted password to another separated hidden object (as PGP key is now) don't break the fetch-edit-submit schema. -- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)