[TYPO3-50-general] Proposal for a RSA authentication provider/mechanism

[Xavier Perseguers]

Hi Steffen,

>> - Somewhere else ;-) : The private key of a user. The so called 
>> WalletService is responsible for managing the private key data and all 
>> RSA cryptography on the server.
> I'm not sure about what this does to the end user.
> He has to install an software on his computer communication with TYPO3?
> 
> If so, i think it's much to complicated and will lead to user loss in 
> the community i think. Would be a start of a client sided backend software.

No! The WalletService will run on the *server* itself. But it's true 
that it is an additional binary to run, just as you may need some cron 
jobs to enhance features of TYPO3, you'll have to install a binary on 
your server.

> Not allowing logins without ssl would be more helping.

True, but it's quite complicated to force SSL as you may have many TYPO3 
websites on a server and I do not know any method to do this without 
having SSL served on non-common ports for each vserver.

> For FE it is to much overload in any case... Imagine most installations 
> work with plain text right now (what I think is very stupid).

True!

> In the backend we may provide a Login solution using Flash (Displaying 
> the form, calculating hash values, doing Ajax interaction) which might 
> fasten calculation and would not present calculating code opened up on 
> every page but only in SVN for lookup.

I'm against it! Flash is not supported on all browsers. Just take my 
iPhone... it would prevent me (any so many others) to log on one of my 
TYPO3 website.

> Inhouse we have a database which IP is allowed on which MAC-Address.
> And to which user it is registrated. So I authenticate (FE&BE) Users by 
> an valid IP/MAC combination (own auth service). Over internet this would 
> be difficult because of changing the ip, but admins might have the 
> possibility to restrict editors mac addresses (yes i know that someone 
> might change the mac of his nic)

You want to prevent me from logging to my website from anywhere? Seems 
no so great if many cases.

> Most browsers are able to change their user agent string...
> So session hijacking could be prevented by including the useragents 
> string into the session comparism. AND it would be even more secure if 
> typo3 BE would provide (f.e. every month) an .reg on for win or script 
> on other oses, changing an random flag in the user agent string...

Wahoo! It's way too complicated! Security is very very important but 
please, KISS at least as much as possible!

-- 
Xavier Perseguers
http://xavier.perseguers.ch/en

One contribution a day keeps the fork away