On mar, 2009-02-24 at 10:27 +, Enrico Zini wrote:
> I can implement OpenID in a new Debtags web application, but people
> would have to get their identities out of something like their blogs.
> We could implement a Debian OpenID provider, but it'll have to be
> something else than the normal us
On Mon, Feb 23, 2009 at 10:19:21PM -0500, Sam Hartman wrote:
> I find it deeply ironic that I'm arguing against security. However,
> let's remember that we're talking about debtags. It's always
> important to think about your threat model and about how much
> complexity you're willing to spend i
On Mon, 23 Feb 2009, Sam Hartman wrote:
> I find it deeply ironic that I'm arguing against security. However,
> let's remember that we're talking about debtags. It's always
> important to think about your threat model and about how much
> complexity you're willing to spend in order to get securi
> "Brian" == Brian May writes:
Brian> Ben Finney wrote:
>> I invite anyone interested in knowing how the distinct areas of
>> identity, trust, and security intersect with the OpenID system,
>> to research the available documentation.
>>
Brian> ...except openid has se
Ben Finney wrote:
I invite anyone interested in knowing how the distinct areas of
identity, trust, and security intersect with the OpenID system, to
research the available documentation.
...except openid has serious issues with establishing identity in a
secure manner. Especially if the ser
Peter Palfrader wrote:
As openid provides no security whatsoever there's probably not a big
chance of us (as in DSA) hopping onto the openid hype any time soon.
openid could be secure - e.g. by enforcing https everywhere, always
checking the remote certificate properly, never using password
Peter Palfrader writes:
> What's the point of an identity if you can't rely on it to be really
> that identity? Authentication that is trivally bypassed or forged is
> not really useful.
This thread [0] isn't the place to debate how useful OpenID is for
those who choose to use it.
I invite anyo
On Mon, 23 Feb 2009, Ben Finney wrote:
> > As openid provides no security whatsoever
>
> Just like an email address, an OpenID is good for identity; security
> needs to be dealt with in a separate layer, just as with email. I
> don't know who promised OpenID ???provides security???, or expects it
Peter Palfrader writes:
> On Mon, 23 Feb 2009, Enrico Zini wrote:
>
> > If Debian were an OpenID provider, then using the Debian OpenID
> > could automatically give some authorization, like assuming that
> > one is a DD. That could have been handy, but indeed not
> > particularly needed.
>
> As
Enrico Zini writes:
> On Mon, Feb 23, 2009 at 11:00:06AM +1100, Ben Finney wrote:
>
> > What of those that use an OpenID provider not on the whitelist? […
> > What of non-DDs who do not necessarily have an account on any of those
> > services […]?
>
> Fair enough, any OpenID server will probabl
On Mon, 23 Feb 2009, Enrico Zini wrote:
> If Debian were an OpenID provider, then using the Debian OpenID could
> automatically give some authorization, like assuming that one is a DD.
> That could have been handy, but indeed not particularly needed.
As openid provides no security whatsoever ther
On Mon, Feb 23, 2009 at 11:00:06AM +1100, Ben Finney wrote:
> > and a whitelist of identity providers that every DD can easily use
> > (like alioth or debian)
>
> What of those that use an OpenID provider not on the whitelist? (I
> imagine some not insignificant number of hackers run their own
>
Enrico Zini, 2009-02-22 23:15:36 + :
> But did I recall reading that Alioth, or debian.org, can be OpenID
> providers?
Not currently. Every once in a while somebody pops up and talks about
implementing an OpenID provider plugin, but it hasn't appeared yet.
If someone feels like going furth
On Sun, Feb 22, 2009 at 11:15:36PM +, Enrico Zini wrote:
> But did I recall reading that Alioth, or debian.org, can be OpenID
> providers? If I can use that, I solved the problem, otherwise, I
> may just postpone implementing authenticated stuff until handy
> OpenID providers happen in Debian.
Enrico Zini writes:
> About authenticated access:
>
> - I do not want to maintain another user/password database: this
> should be done with Openid
I heartily applaud this decision.
> and a whitelist of identity providers that every DD can easily use
> (like alioth or debian)
What of those
On Sun, Feb 22, 2009 at 04:32:06PM -0600, Raphael Geissert wrote:
> Enrico Zini wrote:
> [...]
> > - I do not want to maintain another user/password database: this should
> >be done with Openid and a whitelist of identity providers that every
> >DD can easily use (like alioth or debian)
>
Hi,
>
> Why not use the DDs and DMs keyrings? just make them sign a given random
> token and submit it.
Debtags used to have a very liberal contribution policy - anonymous - and
that helped a lot getting the intial data in.
It has always been a goal to make contributing to Debtags as easy as
poss
Enrico Zini wrote:
[...]
>
> - I do not want to maintain another user/password database: this should
>be done with Openid and a whitelist of identity providers that every
>DD can easily use (like alioth or debian)
>
Why not use the DDs and DMs keyrings? just make them sign a given rando
On Sun, 22 Feb 2009, Enrico Zini wrote:
- workflow changes:
- form subcommittees by broad topics: "The Gnome Guys", "The KDE Guys",
"The Web Developers", "The Photographers" and so on, and give them
the ultimate say on a set of tags, including being able to say "these
packages
Hello,
I've started to ponder a decent redesign of the Debtags web interface,
that will be hosted at debtags.debian.net. I'd like to post here my
intentions, as a sort of RFC. Comments are welcome.
New features that I think are needed:
- workflow changes:
- form subcommittees by broad top
20 matches
Mail list logo