(replies inline) On Tue, 27 Mar 2018, Baptiste Mathus wrote:
> (Adding in CC Emmanuel Lécharny <http://people.apache.org/~elecharny/>, who > took a look at the proposal) > > Trying to summarize our chat on Twitter, I see two outstanding points: > > * Emmanuel is rightly questioning/concerned about the potential of DDoS for > this JEP. > Tyler, should we add something about this in the JEP, or do you consider it > more something to be addressed in an IEP on the infra side? > (also, downstream to it AIUI, the Telemetry and other services are all DDoS > vectors) I consider the discussion about rate limiting (for example) to be the future of the deployment aspect of these services as well, but guess who will be writing the IEP! :) Concerns about a DDoS as they might apply to the client/service interaction are definitely worth discussing in relation to the JEP. However, based on what I interpret is Emmanuel's feedback, it's not the interactions necessarily but rather a "good infra hygiene" concern which I understand. > * "MITM for expiry": it seems possible to reuse an UUID signed with the PK. > "Ideally, to renew the token, you should have a 'nonce' to avoid MITM" This feedback I'm not sure I understand. The UUID and public key are only ever exchanged on initial registration, and then the signed payload (indicating authenticity) is use for the "login" behavior. On JWT expiry, the login flow is re-initiated rather than the registration flow, so I'm not sure I understand where the Man-in-the-Middle for expiry concern would come in. Perhaps something is getting lost in translation here on my end? Thanks for acting as a proxy Baptiste, and thanks Emmanuel for taking the time to look at the proposal! Cheers - R. Tyler Croy ------------------------------------------------------ Code: <https://github.com/rtyler> Chatter: <https://twitter.com/agentdero> xmpp: rty...@jabber.org % gpg --keyserver keys.gnupg.net --recv-key 1426C7DC3F51E16F ------------------------------------------------------ -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/20180327155642.vmnah5lpxnhuxxx2%40blackberry.coupleofllamas.com. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: PGP signature
