[Zope] Re: Question about Zope and security

Cyrille Bonnet cyrille at 3months.com
Mon Apr 3 19:04:17 EDT 2006


Hi Dieter,

thanks for your response. It helps a lot.

It looks like DigestAuth is a step in the right direction, but needs 
more work to be completely secure.

I'll get back to my client and see where they want to go from here.

Thx for your help.

Cheers,

Cyrille

Dieter Maurer wrote:
> Cyrille Bonnet wrote at 2006-3-30 14:43 +1200:
> 
>>...
>>I did find Dieter Mauer's DigestAuth product: 
>>http://www.dieter.handshake.de/pyprojects/zope/#DigestAuth
>>
>>It looks good. I have used other produts from Dieter before and was very 
>>pleased with the quality of his code.
>>
>>Now, have other people used it? Does it work with WebDAV?
> 
> 
> It should work with WebDAV, provided the WebDAV client supports
> HTTP Digest Authentication.
> 
> 
>>How secure is 
>>it (I am no security/encryption expert)?
> 
> 
> The corresponding RFC (RFC 2617) explains in detail how
> secure the basic mechanism is.
> 
> My "DigestAuth DigestAuthCrumber" adds a bit of insecurity:
> 
>   *  the passwords must be stored (inside Zope (!) not in the request)
>      in plain text.
> 
>      This could be improved a bit, either by
> 
>        - using two way encryption -- but Zope must be able to get
>          the plain text password back.
> 
>        - fixing the domain and using storing the "MD5" hash
>          of username, password and domain instead of the
> 	 plain text password.
> 
> 	 Other authentication schemes would then need to
> 	 be changed -- to use the same "MD5" hash.
> 
> 
>>Also, if it is good, why is not part of default Zope??
> 
> 
> 
> There are two sides of an answer: the Zope developpers/maintainers side
> and my side.
> 
> Adding even a good package to the core means a (rather) long term
> commitment to support and maintain this package. When you
> follow "comp.lang.python" (or the corresponding mailing list),
> you see how reluctant the Python developpers are to include
> additional packages into the Python core -- to avoid these
> responsibilities. The Zope maintainers are even stricter: they
> look what they can get rid of rather than what they can include....
> 
> On my side: developping for the Zope core imposes much more overhead
> than developping independently: I would have to make a proposal,
> follow (partially stupid) style guides, add more tests (than
> necessary to convince me that the quality is sufficient)...
> Thus, I am reluctant to develop for the Zope core.
> 



More information about the Zope mailing list