Re: [Mailman-Users] [Mailman-Developers] openID enabled mailman
On Jun 13, 2009, at 1:25 PM, Brad Knowles wrote: Mailman is the wrong place to put an OpenID provider. That needs to go somewhere else, and then you can put in code that allows Mailman to be an OpenID Relyer. Well put, and I could not agree more. What would be very helpful would be adding the necessary support to Mailman 2.2 and 3 so that it can be a relying party, and perhaps we can finally deprecate or kill off the stupid user passwords. -Barry PGP.sig Description: This is a digitally signed message part -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] [Mailman-Developers] openID enabled mailman
Malveeka Tewari writes: > Our focus is on providing Single Sign On but we do not want to delegate > authentication to a third party. Hence we want to implement OpenID provider > for our Mailman service. I don't think this is a good idea. Mailman is designed to deliver single messages to multiple parties, which it does very well, and to manage member lists, which it does tolerably well for many purposes. It is not designed to keep secrets. You may not now particularly care, but it could be very annoying later if you decide you want more security and need to switch your system. Better to put your provider in a separate place from Mailman, and have Mailman rely on and trust only your provider. You could do them on the same host if necessary but in the long run you might want to have the provider on a dedicated host, depending on how serious you become about security. > and OpenID relying partyOD for our wiki etc. > > Now for the OpenID provider we may choose to have new passwords or use the > mailman passwords. For ease of users, we want to use the mailman passwords > for the OpenID provider. Again, Mailman is not very secure. In the default configuration, passwords are mailed out in cleartext over non-secure channels (and even so-called secure mail is pretty tricky -- it's much easier to secure a web application). The passwords are also stored in the clear. This means that if you want to set up OpenID for existing users by transferring their passwords, it should be possible (I don't know how offhand, though). I don't recommend that, either. Normally, people don't care that much as there's not much damage that can be done via a mailing list, except spamming, and most lists have additional defenses against that. But you plan to rely on these passwords to secure multiple services, making the value of cracking one that much higher. I would ask my own users to set new passwords in this situation. Of course, all these issues depend on a lot of factors. You may have better security than the default for the Internet in place, or much more careful users, etc. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] [Mailman-Developers] openID enabled mailman
Hi Stephen Thanks for your reply. W want to implement the OpenID Provider for the mailman set up we are running on our servers. The idea is to use OpenID with mailman to provide single sign on for our other user accounts like our wiki etc. Our focus is on providing Single Sign On but we do not want to delegate authentication to a third party. Hence we want to implement OpenID provider for our Mailman service. and OpenID relying party for our wiki etc. Now for the OpenID provider we may choose to have new passwords or use the mailman passwords. For ease of users, we want to use the mailman passwords for the OpenID provider. I hope I have conveyed what I am trying to do. I will be thankful for any suggestions Thanks Malveeka On Sat, Jun 13, 2009 at 12:03 PM, Stephen J. Turnbull wrote: > Malveeka Tewari writes: > > > 2. Sign in with existing openID login for your subscription > > > > *1. Enable/Disable openID login for your subscription* *account* > > For enabling and diabling the openID feature, the users login their > > subscribed accounts as they do now for changing any of the subcription > > options. > > On this page if they enable the openID feature, they recieve an > automated > > reply with their openID identifier. > > > > The password for the openID identifier is the same as that for the > > subscription accounts. If they change their subscription passwords, > their > > openID password gets changed too. > > I don't understand what you're trying to do. The whole point of open > ID is delegating authorization to a third party. If you want, you can > provide that service as well, but once you've enabled OpenID, you > shouldn't need a password for Mailman. In fact, the Mailman password > should be disabled, as it is certainly less secure than OpenID at this > point in time. > > > I want to know if there's already an openID enabled version of > > mailman available > > The OpenID project has OpenID-enabled Mailman lists, but according to > Brad Knowles in the process of adapting Mailman to OpenID they broke a > lot of other features, and integrating their changes is non-trivial. > -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9