ANNOUNCE: Review requests

Enrico Scholz enrico.scholz at informatik.tu-chemnitz.de
Sat Mar 19 03:41:34 UTC 2005


mattdm at mattdm.org (Matthew Miller) writes:

>> 2. use different logindata. This will be much data which nobody can
>>    recall after some time. So, you have to use keymanagers or go through
>>    a remember-password procedure on every login. I do not trust complex
>>    systems like webbrowsers and think that this should be used for less
>>    sensitive passwords only.
> [...]
>> So I think, that GPG based authentication is much more secure than the
>> HTTP authentication.
>
> You chose to snip a paragraph from my earlier message which I think is quite
> relevant here, so I'm gonna repeat it:
>
>   I'm not opposed to some sort of GPG signature-based process, but it needs
>   to be integrated enough with the tools people will be using (webbrowsers,
>   most likely) to make it not a burden.
>
> We need a system that is workable for developers to use. It needs to be
> secure, but it also needs to *aid* the process, not interfere with it.

My current approach is to use usual HTTP-auth for less sensitive actions
(displaying tickets) but require GPG signing of certain actions (approving
tickets, requesting inclusion of projects, ...).

A snapshot of the GPG signing part is displayed at http://ensc.de/qa.html
(pure HTML snapshot without any functionality). The previous page is
displayed in http://ensc.de/qa1.html


These snapshots are from the HTML frontend, the system itself is designed
as an XML-RPC server where more powerful, native clients can be written
for.



Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20050319/9089c74b/attachment.sig>


More information about the fedora-extras-list mailing list