Hi, Now that there are lots of web sites dedicated to Zope and its community, for example : zope.org zopezen.org zopenewbies.net zopelabs.com zopera.org zopegurus.de etc... I've noticed that most of them, if not all, invite the user to open an account before being able to do something useful (post a news message, a document of some sort, etc...) Considering that most Zope users are interested in most of these sites, except when the language is not english, and that some want to really participate, I think this registration process quickly becomes very boring, and remembering all the different passwords is difficult, unless you always use the same which is insecure. Couldn't it be possible that all these servers share the same authentication mechanism, i.e. only usernames and passwords, and do all their local stuff on their own (roles, possible actions, homepages, etc...), in one word (ok, two) : Centralized Authentication For example I suppose it would be possible, if every webmaster agrees, to use the very same LDAP directory, which might be replicated for redundancy reasons, to check username+pw when an user tries to authenticate. This would have the great benefit of checking not if someone is part of myownlittlezopecommunity.org but the WHOLE Zope community, this would also better solder this sparse community IMHO. Of course I understand there are strong security drawbacks to this approach, but anyway this might be very good to make a real network of web sites strongly related to Zope, and could only strenghten the Zope community presence on the web. <mode thispostshouldalsoincludeanMSrant="ON"> I know it's not better than what Mickey$oft plans to do, but while I trust the Zope Community (and ZC) I really don't trust the above named monopolist. </mode> Any comment or flame ? thank you for reading, anyway Jerome Alet
Considering that most Zope users are interested in most of these sites, except when the language is not english, and that some want to really participate, I think this registration process quickly becomes very boring, and remembering all the different passwords is difficult, unless you always use the same which is insecure.
Couldn't it be possible that all these servers share the same authentication mechanism, i.e. only usernames and passwords, and do all their local stuff on their own (roles, possible actions, homepages, etc...), in one word (ok, two) : Centralized Authentication
I think this is great idea. I also think that most people use the same username/password combination for these kind of sites anyway. Insecure as in that if you know my zope.org password, you'll know my zopezen.org password too (and probably my Slashdot one too), sure, but I only keep three sets of username/passwords and use them depending on the kind of site. Douwe
Couldn't it be possible that all these servers share the same authentication mechanism, i.e. only usernames and passwords, and do all their local stuff on their own (roles, possible actions, homepages, etc...), in one word (ok, two) : Centralized Authentication
A problem would be: if a user has advanced rights on site A and limited rights on site B. So there must be an automatism which first checks the local acl and then the global one. Another one: What if I would like to register on site A but not on site B? -------------------------------------- Goeldi.com - Internet Services -------------------------------------- www.zopehosting.ch www.goeldi.com web@goeldi.com Tel +41-61-7330555 Fax +41-61-7330556 --------------------------------------
On Thursday, July 25, 2002, at 08:38 , Stephan Goeldi wrote:
Couldn't it be possible that all these servers share the same authentication mechanism, i.e. only usernames and passwords, and do all their local stuff on their own (roles, possible actions, homepages, etc...), in one word (ok, two) : Centralized Authentication
A problem would be: if a user has advanced rights on site A and limited rights on site B. So there must be an automatism which first checks the local acl and then the global one.
Another one: What if I would like to register on site A but not on site B?
he already explained that in his first email: only username and password are global. roles are managed locally only. jens
On Thu, Jul 25, 2002 at 02:38:28PM +0200, Stephan Goeldi wrote:
A problem would be: if a user has advanced rights on site A and limited rights on site B. So there must be an automatism which first checks the local acl and then the global one.
there would be no acl on the central server, only usernames + passwords acls would be local to each site.
Another one: What if I would like to register on site A but not on site B?
good question. An easy solution is : if you don't need it then don't use it. so if the user doesn't want to register on B he just has to never click on the Login link :-) Again this idea is not bullet-proof security wise but the goal is not security, it's ease of use, without compromising security too much. bye, and thanks to all for you comments Jerome Alet
On Thursday 25 Jul 2002 1:43 pm, Jerome Alet wrote:
On Thu, Jul 25, 2002 at 02:38:28PM +0200, Stephan Goeldi wrote:
A problem would be: if a user has advanced rights on site A and limited rights on site B. So there must be an automatism which first checks the local acl and then the global one.
there would be no acl on the central server, only usernames + passwords
Im not sure I would want a password shared among all community sites. Does anyone know where things are at with SSL client certificates?
first of all, i think this idea is very interesting. but the devil is in the details, and i'm not sure you realize what it is that you really want ;)
Considering that most Zope users are interested in most of these sites, except when the language is not english, and that some want to really participate, I think this registration process quickly becomes very boring, and remembering all the different passwords is difficult, unless you always use the same which is insecure.
i'm not sure about that assertion. i think a typical usage pattern is more like "everyone has their own small set of sites they visit regularly". i would think the number of users who really visit all these sites regularly is very small. secondly, the registration is a one-time thing. you don't have to register every time.
Couldn't it be possible that all these servers share the same authentication mechanism, i.e. only usernames and passwords, and do all their local stuff on their own (roles, possible actions, homepages, etc...), in one word (ok, two) : Centralized Authentication
i think what you *really* want (and the only thing that make bring any kind of difference to users at all) is single sign-on. i log into zope.org and when i jump to zopezen it will recognize and use the credentials i just entered when i visited zope.org. having all users in the same repository will not make much of a difference to users. you still have to "log in" every time you visit a different site. that would not bring any discernible advantage, other than the fact that you would have the same username and password on all those sites. same username and password is kind of bad in itself because if some script kiddie finds out about one login he knows them all. problem with centralized user repository: who would be administering such a server? who would be available if one site's webmaster or user has problems and needs assistance?
This would have the great benefit of checking not if someone is part of myownlittlezopecommunity.org but the WHOLE Zope community, this would also better solder this sparse community IMHO.
well, ok, now you have all users in a single directory. i don't see how that would bring the community together more. it makes zero difference to the user, apart from having the same username/password all over.
Of course I understand there are strong security drawbacks to this approach, but anyway this might be very good to make a real network of web sites strongly related to Zope, and could only strenghten the Zope community presence on the web.
what security drawbacks? the biggest security drawback is still the fact that basic auth and cookie auth send their data unencrypted from browser to server and back. that affects every site. the communication between server and LDAP can be guarded by SSL. all in all i think what you really want is single sign-on. where usernames and passwords are stored and how is really secondary in that case. what's more important (and harder to do) is how can you make authentication credentials available to all participating servers so that the user does not need to type them in over and over again? basic HTTP auth is too limited for that. cookie auth is also problematic because cookies cannot be shared across domains. jens
On Thu, Jul 25, 2002 at 08:39:32AM -0400, Jens Vagelpohl wrote:
Considering that most Zope users are interested in most of these sites, except when the language is not english, and that some want to really participate, I think this registration process quickly becomes very boring, and remembering all the different passwords is difficult, unless you always use the same which is insecure.
i'm not sure about that assertion. i think a typical usage pattern is more like "everyone has their own small set of sites they visit regularly".
probably because registering is boring...
i think what you *really* want (and the only thing that make bring any kind of difference to users at all) is single sign-on. i log into zope.org and when i jump to zopezen it will recognize and use the credentials i just entered when i visited zope.org.
yes that was it.
having all users in the same repository will not make much of a difference to users.
to webmasters it will ;-)
you still have to "log in" every time you visit a different site. that would not bring any discernible advantage, other than the fact that you would have the same username and password on all those sites. same username and password is kind of bad in itself because if some script kiddie finds out about one login he knows them all.
problem with centralized user repository: who would be administering such a server? who would be available if one site's webmaster or user has problems and needs assistance?
hey we are not speaking about vital data here. needs assistance : asks a dedicated ML all participating webmasters would be user repository admins anyway (co-opted by the others) no answer => try IRC or retry later. the more sites which participate, the better support service we have.
well, ok, now you have all users in a single directory. i don't see how that would bring the community together more. it makes zero difference to the user, apart from having the same username/password all over.
yes I meant single sign-on to any participating site allows one to access any other one with the same authentication information. bye, Jerome Alet
i'm not sure about that assertion. i think a typical usage pattern is more like "everyone has their own small set of sites they visit regularly".
probably because registering is boring...
i'm not sure about the registering thing since you only do that once, anyway. what might become boring is the "log in every time" scenario. i am so averse to doing that that i shun websites who want you to log in to do anything useful.
i think what you *really* want (and the only thing that make bring any kind of difference to users at all) is single sign-on. i log into zope.org and when i jump to zopezen it will recognize and use the credentials i just entered when i visited zope.org.
yes that was it.
single sign-on, like i mentioned in the first email, is a *really hard* problem because of the sharing of credentials across domains on the browser side.
having all users in the same repository will not make much of a difference to users.
to webmasters it will ;-)
that depends on the webmaster. i assume not all want to basically "share" their users' data in that fashion. some might want to retain complete control themselves.
problem with centralized user repository: who would be administering such a server? who would be available if one site's webmaster or user has problems and needs assistance?
needs assistance : asks a dedicated ML all participating webmasters would be user repository admins anyway (co-opted by the others)
no answer => try IRC or retry later.
the more sites which participate, the better support service we have.
a few beefs i have with this: - who would be the "ML"? who would volunteer to be available *and* learn about all the ins and outs of the membership system (be it a RDBMS or LDAP or whatever) and the code that "talks" to the repository and the code that accepts and transforms the "shared credentials"? - more sites == better support is, IMHO, not correct. more sites does not automatically mean more people who actually have a clue about this particular membership system beyond "i plopped this client code onto my server to participate in the membership thingy". who among those webmasters really knows about e.g. LDAP? very very few i would think. don't get me wrong, i am not attacking the idea. the idea is intriguing. i just think it would need *much* more fleshing-out than the current "wouldn' t it be cool if..." stage. :) jens
On Thu, Jul 25, 2002 at 09:45:47AM -0400, Jens Vagelpohl wrote:
that depends on the webmaster. i assume not all want to basically "share" their users' data in that fashion. some might want to retain complete control themselves.
participating is a voluntary action, my idea wasn't about "stealing" users or datas from popular sites. I don't run any community website anyway, and don't plan to.
a few beefs i have with this:
- who would be the "ML"? who would volunteer to be available *and* learn about all the ins and outs of the membership system (be it a RDBMS or LDAP or whatever) and the code that "talks" to the repository and the code that accepts and transforms the "shared credentials"?
- more sites == better support is, IMHO, not correct. more sites does not automatically mean more people who actually have a clue about this particular membership system beyond "i plopped this client code onto my server to participate in the membership thingy". who among those webmasters really knows about e.g. LDAP? very very few i would think.
while I agree that 1+1 may mean only 1, at least it shouldn't mean 0, and I'm sure that a mathematician could prove that 1+1+1+...+1 will statistically tend to be > 1 :-) If there were only free riders then Free Software woudln't exist in the first place. The bigger the number of free riders, the bigger the chance to get one with a clue, who finally gives something back. replace "this client code" with "Zope" in the above sentence, and now compare the number of Zope products now with the same number three years ago => bigger isn't it ?
don't get me wrong, i am not attacking the idea. the idea is intriguing. i just think it would need *much* more fleshing-out than the current "wouldn' t it be cool if..." stage. :)
at least the idea is archived now bye, Jerome Alet
Jerome Alet wrote:
[...]
yes I meant single sign-on to any participating site allows one to access any other one with the same authentication information.
Hmm, couldn't you do that just now? Just ask the user for their credentials, and test that credentials against the site you want to share users with. Ok, it's a bit messy without an API which is designed for that task, but its possible, and with the right amount of caching shouldn't be too hard. Maybe someone interested should just write a PiggybackUserFolder which tests user credentials against www.zope.org's login page :). cheers, oliver
On Thu, Jul 25, 2002 at 02:59:49PM +0200, Jerome Alet wrote:
well, ok, now you have all users in a single directory. i don't see how that would bring the community together more. it makes zero difference to the user, apart from having the same username/password all over.
yes I meant single sign-on to any participating site allows one to access any other one with the same authentication information.
Mozilla will get you most of the way there. One master password and it'll fill in the local site password for you. You only still have to register. The advantage is that you can use different passwords for different sites and thus protect against line sniffing attacks; the password the hacker gains only works in one place. -- Martijn Pieters | Software Engineer mailto:mj@zope.com | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ ---------------------------------------------
On Thu, Jul 25, 2002 at 12:09:30PM -0400, Martijn Pieters wrote:
Mozilla will get you most of the way there. One master password and it'll fill in the local site password for you. You only still have to register. The advantage is that you can use different passwords for different sites and thus protect against line sniffing attacks; the password the hacker gains only works in one place.
Yes, but the single-register + single sign-on thing I envisionned couldn't serve as good PR for the Zope community as a whole then. bye, Jerome Alet
participants (8)
-
alet@unice.fr -
douwe@oberon.nl -
Jens Vagelpohl -
Jerome Alet -
Martijn Pieters -
Oliver Bleutgen -
Stephan Goeldi -
Toby Dickenson