[Zope] Re: Zope/Plone logon security strategy etc

2006-03-01 Thread michael nt milne
ok, thanks. I didn't notice the documentation on your site. On 2/28/06, Dieter Maurer [EMAIL PROTECTED] wrote: michael nt milne wrote at 2006-2-28 15:51 +: I'm probably missing something really obvious but am wondering how you actually implement your product on a live plone site. I've got

Re: [Zope] Re: Zope/Plone logon security strategy etc

2006-01-27 Thread Chris Withers
David wrote: I moved to Apache (for SSL) because its independent of Zope and it will give you SSL and the power of a world class server when you need it. ZopeSSL worked fine (when i last tried it, like zope 2.4x). For SSL and HTTP sanitisation, I wouldn't trust anything that doesn't get the

Re: [Zope] Re: Zope/Plone logon security strategy etc

2006-01-26 Thread David
Tino Wildenhain wrote: michael nt milne schrieb: Yes I agree, having checked on basic http authentication I need SSL. Basic http and cookie auth is insecure. I just feel that zope should have this facility even with a self signed certificate, so that you could do it without Apache

[Zope] Re: Zope/Plone logon security strategy etc

2006-01-25 Thread michael nt milne
Cookie authentication can't be secure. Also I have my doubts about http authentication. I'll check though. Basicallx you want really good encryption on any logon and password etc. On 1/25/06, Jens Vagelpohl [EMAIL PROTECTED] wrote: On 25 Jan 2006, at 18:55, michael nt milne wrote: Hi

Re: [Zope] Re: Zope/Plone logon security strategy etc

2006-01-25 Thread Tino Wildenhain
michael nt milne schrieb: Cookie authentication can't be secure. Also I have my doubts about http authentication. I'll check though. Basicallx you want really good encryption on any logon and password etc. You want ssl for all. There is no security if you have logon encrypted in a stateless

[Zope] Re: Zope/Plone logon security strategy etc

2006-01-25 Thread michael nt milne
Yes I agree, having checked on basic http authentication I need SSL. Basic http and cookie auth is insecure. I just feel that zope should have this facility even with a self signed certificate, so that you could do it without Apache and had more options. The option to even just have it on for site

[Zope] Re: Zope/Plone logon security strategy etc

2006-01-25 Thread Tino Wildenhain
michael nt milne schrieb: Yes I agree, having checked on basic http authentication I need SSL. Basic http and cookie auth is insecure. I just feel that zope should have this facility even with a self signed certificate, so that you could do it without Apache and had more options. The option to