[TYPO3-50-general] Proposal for a RSA authentication provider/mechanism

[Steffen Ritter]

Hello,
thank your for your extensive thoughts about this topic.

> - Somewhere else ;-) : The private key of a user. The so called 
> WalletService is responsible for managing the private key data and all 
> RSA cryptography on the server.
I'm not sure about what this does to the end user.
He has to install an software on his computer communication with TYPO3?

If so, i think it's much to complicated and will lead to user loss in 
the community i think. Would be a start of a client sided backend software.

Not allowing logins without ssl would be more helping.

For FE it is to much overload in any case... Imagine most installations 
work with plain text right now (what I think is very stupid).

Using JavaScript in FE i do also think is no problem.

Some brainstorming about the login topic:

In the backend we may provide a Login solution using Flash (Displaying 
the form, calculating hash values, doing Ajax interaction) which might 
fasten calculation and would not present calculating code opened up on 
every page but only in SVN for lookup.

Inhouse we have a database which IP is allowed on which MAC-Address.
And to which user it is registrated. So I authenticate (FE&BE) Users by 
an valid IP/MAC combination (own auth service). Over internet this would 
be difficult because of changing the ip, but admins might have the 
possibility to restrict editors mac addresses (yes i know that someone 
might change the mac of his nic)

Most browsers are able to change their user agent string...
So session hijacking could be prevented by including the useragents 
string into the session comparism. AND it would be even more secure if 
typo3 BE would provide (f.e. every month) an .reg on for win or script 
on other oses, changing an random flag in the user agent string...


so long
keep on rocking 5.0

Steffn