[TYPO3-50-general] Proposal for a RSA authentication provider/mechanism
Andreas Förthner
andreas.foerthner at netlogix.de
Sat Jan 3 18:57:17 CET 2009
Xavier Perseguers schrieb:
> Hi Steffen,
>
>>> - Somewhere else ;-) : The private key of a user. The so called
>>> WalletService is responsible for managing the private key data and
>>> all RSA cryptography on the server.
>> I'm not sure about what this does to the end user.
>> He has to install an software on his computer communication with TYPO3?
>>
>> If so, i think it's much to complicated and will lead to user loss in
>> the community i think. Would be a start of a client sided backend
>> software.
>
> No! The WalletService will run on the *server* itself. But it's true
> that it is an additional binary to run, just as you may need some cron
> jobs to enhance features of TYPO3, you'll have to install a binary on
> your server.
Exactly. Some kind of encryption/saftey deamon. I'll check out the
possiblities and how complex it will be to run it.
>> Not allowing logins without ssl would be more helping.
>
> True, but it's quite complicated to force SSL as you may have many TYPO3
> websites on a server and I do not know any method to do this without
> having SSL served on non-common ports for each vserver.
Good point!
>> In the backend we may provide a Login solution using Flash (Displaying
>> the form, calculating hash values, doing Ajax interaction) which might
>> fasten calculation and would not present calculating code opened up on
>> every page but only in SVN for lookup.
>
> I'm against it! Flash is not supported on all browsers. Just take my
> iPhone... it would prevent me (any so many others) to log on one of my
> TYPO3 website.
See my previous post.
>> Inhouse we have a database which IP is allowed on which MAC-Address.
>> And to which user it is registrated. So I authenticate (FE&BE) Users
>> by an valid IP/MAC combination (own auth service). Over internet this
>> would be difficult because of changing the ip, but admins might have
>> the possibility to restrict editors mac addresses (yes i know that
>> someone might change the mac of his nic)
>
> You want to prevent me from logging to my website from anywhere? Seems
> no so great if many cases.
See my previous post.
>> Most browsers are able to change their user agent string...
>> So session hijacking could be prevented by including the useragents
>> string into the session comparism. AND it would be even more secure if
>> typo3 BE would provide (f.e. every month) an .reg on for win or script
>> on other oses, changing an random flag in the user agent string...
>
> Wahoo! It's way too complicated! Security is very very important but
> please, KISS at least as much as possible!
See my previous post. ;-)
Thanks for the discussion.
Greets Andi
More information about the TYPO3-project-5_0-general
mailing list