[TYPO3-dev] Services architecture

[Helmut Hummel]

Hi Christian,

Christian Lerrahn (Cerebrum) wrote:

> I believe the modifications to rsaauth required to make it
> "rsatransfer" as you call it would be minor and would be happy to dig
> into that. However, there is still the problem that currently the
> transferred credentials are passed to the authentication services by
> value and can therefore not be returned to the chain without a
> (minimal) core change. Or did you have a different mechanism in mind?

As Dmitry and Marcus pointed out, that it does not make sense to "hack" 
the authentication chain to implement a (RSA) transfer service.

We do not have something like that yet, but I would appreciate if 
someone is willing to dig into it and find a clean and good solution.

Repeating the task and the challenges mentioned by Marcus:

 > Possible use cases:
 > * credential transfer from a login form (BE/FE)
 > * transfer of password to set in user setup BE module
 > * transfer of other confidential data between client&  server
 > * ...
 >
 > The challenges are:
 > * structure of a "transfer only" service
 > * how to describe a relationship between authentication and the transfer
 > service
 > * ...

Obviously the transfer/ decryption part must happen before the 
authentication part.

If we have that, the rsaauth in the authentication chain would of course 
be obsolete.

Is it more clear now?

Kind regards,
Helmut

-- 
Helmut Hummel
TYPO3 Security Team Leader

TYPO3 .... inspiring people to share!
Get involved: typo3.org