Julien Peeters
I'm looking for the person who implements the actual version of the login mechanism in the Perspective Broker. More precisely, I wonder what are the reasons to have chosen a challenge/response strategy to do login.
I'm only a user of Twisted and not a core developer, but I suspect for all the same reasons you'd choose such a system in general (which aren't PB, nor Twisted, specific). Avoiding the transmission of raw authentication information in favor of generated information such as challenge/response data helps prevent a slew of possible attacks (injection, playback, man-in-the-middle, etc...) when such information is available on the wire. Note however that if you're implying that PB authentication must be challenge/response, that's not entirely accurate. While it's true the default Portal and ClientFactory implementations make use of a challenge/response approach, you could just as easily change that to be whatever you would like including simple clear text transmission of authentication information in one step. And that exchange is distinct from the credential checker itself so can be replaced without changing anything else. Why you'd bother (when challenge/response is implemented for free) is another question, but it's certainly possible. I suppose if you're using an SSL link for the PB connection with appropriate certificates you could consider the challenge/response an extra round trip, but it's got to be pretty insignificant compared to the overall session. -- David