On Wed, 30 Jan 2002, Dmitry Rojkov wrote:
> Is it possible to use the cram-md5 authenticator and in the same time to
> keep user's password not in PLAINTEXT but MD5-digest?
no. or, well, yes, but then the user's password has to be scrambled
(as opposed to being encrypted). and you have to add this scrambling
knowledge to the cram-md5 driver too.
basically, "no".
> The line "The server then computes the CRAM-MD5 digest that the client should
> have sent, and checks that it received the correct string" confuses me.
> I don't want to compute, but compare MD5-digest.
you can't. the digest includes the challenge, which is different all
the time. if it wasn't, there wouldn't be any reason for cram at all.
