What ever happened...

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

What ever happened...

Post by alex.barylski »

To that authentication library ya'll were working on??? :?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I think Ambush Commander put up a SVN repository for it. Search the boards for the details.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

it's on hold until ambush (it was ambush right?) finishes a few things (can't remember what they are --HTMLPurifier?)
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

ok then...I just wanted to see how it was moving along...it was way to complex for me to consider using it...

I have my own system in the works anyways...
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

I was following the thread with great interest as well. Bit too complicated to be able to use it myself, but enough to learn a thing or two.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Authentication...in it's most atomic state is very simple...answering (IMHO) a single question, so thats why I was turned off by the community proposal...or even Zend for that matter...

Simply put, authenticaiton answers the question: "Are you logged in"

I dislike classes/libraries that try and mash authorization, session control, user creation, etc...those are all outside the domain of authentication...

Even CAPTCHA is outside the domain of an authentication library...but I suppose it seems useless to write a class which contains a single function, so people start looking for filler code and one thing leads to another and BAM you have a full blown security library, instead of a simple modular authentication class...
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Heh, I think the single greatest contribution of that project so far was AuthTools notes.

Yep, it was put on hold until I wrangled HTMLPurifier into shape.
Simply put, authenticaiton answers the question: "Are you logged in"
The next logical question, then, is How did you log in? It took me a while to figure out how all the bits fit together. Authentication isn't atomic, although most of the time it is.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Simply put, authentication answers the question: "Are you logged in"
Nope. Simply put, authentication answers the question: "Who you are and can you prove that".
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Nope. Simply put, authentication answers the question: "Who you are and can you prove that".
Who's responsible for answering "How did you prove that?"
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Who's responsible for answering "How did you prove that?"
There are different approaches. I prefer to check client's SSL certificate.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

What I mean is if you allow multiple ways of letting a user prove who they are, how does the rest of the system figure out how the user proved it?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

how does the rest of the system figure out how the user proved it?
Hmm... I don't think the rest of the system has to know 'how'. Isn't it enough to just know the user indeed proved that?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Well, some people think that letting a person do administrative work on just a remember me token is insecure. ;-)
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Weirdan wrote:
Simply put, authentication answers the question: "Are you logged in"
Nope. Simply put, authentication answers the question: "Who you are and can you prove that".
I'm not sure I follow...and if I do...I'm not sure I agree...

What do you mean, can you prove it??? Using SSL isn't always an option...

You can verify the details were entered by a human using a Turing test like CAPTCHA, but thats about it considering the medium were using and technology available to us...

What other methods do you propose?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Well, some people think that letting a person do administrative work on just a remember me token is insecure.
Well, some people provide only command-line administrative interface :)

The code that uses authenticator could provide the 'required security level' argument to it, exempli gratia.
Post Reply