[clue-talk] January Presentation

chris fedde chris at fedde.us
Thu Jan 14 12:57:59 MST 2010 

On Thu, Jan 14, 2010 at 10:26 AM, Ken Dreyer <ktdreyer at ktdreyer.com> wrote:
> but it's better than a self-signed cert IMHO.
>
> I'm all for OpenID, and if we have apps that support it, let's use it.
> However, as I understand OpenID, we couldn't even guarantee that all
> OpenID providers must use HTTPS. Even if my OpenID provider does use
> HTTPS, if my service is HTTP, my session can still be sniffed and
> hijacked, plain and simple.
>
> In my experience we will always have that "one-off" service that
> cannot use OpenID. SSH is the first that comes to mind. Without some
> sort of password mechanism, mod_auth_openid would be our only option
> for securing arbitrary web services (eg. awstats), and I haven't heard
> much about mod_auth_openid in production. That is why I would vote
> that we plan to build around LDAP and add OpenID wherever possible.
>

As you say there is a need to have a core of administrators who know
the root password for any self hosted system.   These "designated
victims" would have ssh access to the system shell, and be responsible
for SA activities on the VPS.  I assert that this is a different
authentication regime from what is needed for the site itself.
Anyone who wanted to interact with the website would do so through the
web site directly using its authentication and authorization config.

Personally I'm against LDAP for use in such a small deployment.  LDAP
shines best in environments with dozens to thousands of systems with
hundreds to hundereds of thousands of users. I don't suspect that we
are talking about more than 2 VPS for this deployment.  Such a config
could easily be kept synchronized using an rdist or rsync script.

I suspect that it is also important to get a good understanding of how
OpenID works before we discount it.  Here is their website:
http://openid.net/ .   OpenID is a transitive trust system. If we
adopt it we are agreeing that we trust the authentication of one of
the twelve authenticators.  Effectively we would be saying: "I Trust
that Flickr knows who you are."  Remember that we are talking
Authentication here.   Authorization policy would be kept in the site
configuration.

What ever we decide I think that we have several good options on the
table.  I trust that this will be an interesting exercise.

More information about the clue-talk mailing list