Hi All, If the secret key based solution can be used by Cassandra, would it be better to do those in a module under the identity component? I added sometime back the secretkey based authentication using the code existed in Qpid component at that time. [ https://svn.wso2.org/repos/wso2/trunk/carbon/components/identity/org.wso2.carbon.identity.authentication]. Would it be better to modify that code?
Thanks, Indika On Tue, Mar 15, 2011 at 5:35 PM, Paul Fremantle <[email protected]> wrote: > > > > > On 15 March 2011 11:26, Dimuthu Leelarathne <[email protected]> wrote: > >> 3) I don't understand the SQS secret key part. >>> a) I'd expect to see both an access key and a secret key >>> >> >> I need to clarify something regarding this "access key" and "secret key". >> Right now access key is username and secret key is D for SQS. I think we can >> keep it the same and implement your algorithm with minimal changes to UM. So >> here is the implementation, >> >> 1) Generate X on server on first server start up and store it securely. We >> can encrypt it using server's public key >> 2) When user request for a SQS key, generate D and store it in UM using >> userStore.addUser(String username, String password) as follows. >> userStore.addUser(SecureHash(U+X), D+X) - we store password hashed. >> 3) Show D to user. User's access key is username and user's secret key is >> D >> 4) When user sends SQS requests using D, check the validity as follows. >> userStore.authenticate(SecureHash(U+X), D+X) >> 5) If the user is validated (i.e. authenticate is passed) the signature is >> generated using D+X >> >> If it is done this way we need not show two keys to user. Of cause we can >> show to keys to user as well, i.e. in place of username we can show >> SecureHash(U+X). But is it a requirement? >> > > Dimuthu > > The access key cannot be the username because it is a 20 digit key. See > > http://docs.amazonwebservices.com/AWSSimpleQueueService/2009-02-01/SQSGettingStartedGuide/ > So we need to do something to make it fit that. > > I'm still not clear if the secret key is stored separately or just > something we calculate from their existing password? > > Paul > >> >> Thanks, >> Dimuthu >> >> >> >> >>> b) I don't expect the user to change these: I thought they were going to >>> be calculated. >>> >>> More feedback when I finally get it to build :-) >>> >>> Paul >>> >>> -- >>> Paul Fremantle >>> CTO and Co-Founder, WSO2 >>> OASIS WS-RX TC Co-chair, VP, Apache Synapse >>> >>> Office: <%2B44%20844%20484%208143>+44 844 484 8143 >>> Cell: <%2B44%20798%20447%204618>+44 798 447 4618 >>> >>> blog: http://pzf.fremantle.org >>> twitter.com/pzfreo >>> [email protected] >>> >>> wso2.com Lean Enterprise Middleware >>> >>> Disclaimer: This communication may contain privileged or other >>> confidential information and is intended exclusively for the addressee/s. If >>> you are not the intended recipient/s, or believe that you may have received >>> this communication in error, please reply to the sender indicating that fact >>> and delete the copy you received and in addition, you should not print, >>> copy, retransmit, disseminate, or otherwise use the information contained in >>> this communication. Internet communications cannot be guaranteed to be >>> timely, secure, error or virus-free. The sender does not accept liability >>> for any errors or omissions. >>> >>> _______________________________________________ >>> Carbon-dev mailing list >>> [email protected] >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >> > > > -- > Paul Fremantle > CTO and Co-Founder, WSO2 > OASIS WS-RX TC Co-chair, VP, Apache Synapse > > Office: +44 844 484 8143 > Cell: +44 798 447 4618 > > blog: http://pzf.fremantle.org > twitter.com/pzfreo > [email protected] > > wso2.com Lean Enterprise Middleware > > Disclaimer: This communication may contain privileged or other confidential > information and is intended exclusively for the addressee/s. If you are not > the intended recipient/s, or believe that you may have received this > communication in error, please reply to the sender indicating that fact and > delete the copy you received and in addition, you should not print, copy, > retransmit, disseminate, or otherwise use the information contained in this > communication. Internet communications cannot be guaranteed to be timely, > secure, error or virus-free. The sender does not accept liability for any > errors or omissions. > > _______________________________________________ > Carbon-dev mailing list > [email protected] > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > >
_______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
