[TYPO3-50-general] Proposal for a RSA authentication provider/mechanism
Steffen Ritter
info at rs-websystems.de
Sat Jan 3 17:18:17 CET 2009
Hello,
thank your for your extensive thoughts about this topic.
> - Somewhere else ;-) : The private key of a user. The so called
> WalletService is responsible for managing the private key data and all
> RSA cryptography on the server.
I'm not sure about what this does to the end user.
He has to install an software on his computer communication with TYPO3?
If so, i think it's much to complicated and will lead to user loss in
the community i think. Would be a start of a client sided backend software.
Not allowing logins without ssl would be more helping.
For FE it is to much overload in any case... Imagine most installations
work with plain text right now (what I think is very stupid).
Using JavaScript in FE i do also think is no problem.
Some brainstorming about the login topic:
In the backend we may provide a Login solution using Flash (Displaying
the form, calculating hash values, doing Ajax interaction) which might
fasten calculation and would not present calculating code opened up on
every page but only in SVN for lookup.
Inhouse we have a database which IP is allowed on which MAC-Address.
And to which user it is registrated. So I authenticate (FE&BE) Users by
an valid IP/MAC combination (own auth service). Over internet this would
be difficult because of changing the ip, but admins might have the
possibility to restrict editors mac addresses (yes i know that someone
might change the mac of his nic)
Most browsers are able to change their user agent string...
So session hijacking could be prevented by including the useragents
string into the session comparism. AND it would be even more secure if
typo3 BE would provide (f.e. every month) an .reg on for win or script
on other oses, changing an random flag in the user agent string...
so long
keep on rocking 5.0
Steffn
More information about the TYPO3-project-5_0-general
mailing list