[TYPO3-project-4-3] Making RSA Auth default login method?

[Ingmar Schlecht]

Hi all,

as you might have noticed, Dmitry today committed the RSA Auth
extension, so a fully encrypted login procedure will be possible even
without HTTPS with TYPO3 4.3.

However, it is not configured to be the default at the moment, but needs
to be enabled by setting TYPO3_CONF_VARS[BE][loginSecurityLevel] (or FE
respectively) to the value "rsa" in order to get active.

Now, the question is whether we should enable it by default instead.

Pros:
 + secure by default (it's not possible any longer to log in with just
   the MD5 of the password & the password is transmitted to the server
   RSA encrypted (i.e. public/private key encryption))

Cons:
 - People who don't have the openssl PHP extension installed might not
   be able to log in at all and need to set their login security level
   back to superchallenged (or something different) from the install
   tool

Personally, I would tend to enable rsa by default (my feeling is that
most servers have the openssl PHP extension installed). What would be
ideal I think would be a fallback to superchallenged if openssl is not
found...

What do you think?

cheers
Ingmar