ANNOUNCE: Review requests
enrico.scholz at informatik.tu-chemnitz.de
Sat Mar 19 03:41:34 UTC 2005
mattdm at mattdm.org (Matthew Miller) writes:
>> 2. use different logindata. This will be much data which nobody can
>> recall after some time. So, you have to use keymanagers or go through
>> a remember-password procedure on every login. I do not trust complex
>> systems like webbrowsers and think that this should be used for less
>> sensitive passwords only.
>> So I think, that GPG based authentication is much more secure than the
>> HTTP authentication.
> You chose to snip a paragraph from my earlier message which I think is quite
> relevant here, so I'm gonna repeat it:
> I'm not opposed to some sort of GPG signature-based process, but it needs
> to be integrated enough with the tools people will be using (webbrowsers,
> most likely) to make it not a burden.
> We need a system that is workable for developers to use. It needs to be
> secure, but it also needs to *aid* the process, not interfere with it.
My current approach is to use usual HTTP-auth for less sensitive actions
(displaying tickets) but require GPG signing of certain actions (approving
tickets, requesting inclusion of projects, ...).
A snapshot of the GPG signing part is displayed at http://ensc.de/qa.html
(pure HTML snapshot without any functionality). The previous page is
displayed in http://ensc.de/qa1.html
These snapshots are from the HTML frontend, the system itself is designed
as an XML-RPC server where more powerful, native clients can be written
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 480 bytes
Desc: not available
More information about the fedora-extras-list