[clue-talk] January Presentation
Ken Dreyer
ktdreyer at ktdreyer.com
Thu Jan 14 10:26:57 MST 2010
On Wed, Jan 13, 2010 at 9:33 PM, Greg Knaddison
<greg.knaddison at gmail.com> wrote:
> On Wed, Jan 13, 2010 at 8:01 PM, chris fedde <chris at fedde.us> wrote:>
>> * SSL
>
> What's the benefit of this? There are logins to the current system and
> we don't have SSL now.
I call that a bug, not a feature :-)
> SSL is also somewhat expensive unless we
> self-sign and that's a usability nightmare. My preference would be to
> support external logins using something like OpenID and suggest that
> people get an OpenID provider that uses SSL.
There is a third option: CAcert. I myself can sign for two years,
maybe others in the group can also? The root is not in most browsers,
but it's better than a self-signed cert IMHO.
I'm all for OpenID, and if we have apps that support it, let's use it.
However, as I understand OpenID, we couldn't even guarantee that all
OpenID providers must use HTTPS. Even if my OpenID provider does use
HTTPS, if my service is HTTP, my session can still be sniffed and
hijacked, plain and simple.
In my experience we will always have that "one-off" service that
cannot use OpenID. SSH is the first that comes to mind. Without some
sort of password mechanism, mod_auth_openid would be our only option
for securing arbitrary web services (eg. awstats), and I haven't heard
much about mod_auth_openid in production. That is why I would vote
that we plan to build around LDAP and add OpenID wherever possible.
- Ken
More information about the clue-talk
mailing list