Page 1 of 2
What ever happened...
Posted: Fri Sep 01, 2006 1:23 am
by alex.barylski
To that authentication library ya'll were working on???

Posted: Fri Sep 01, 2006 1:37 am
by RobertGonzalez
I think Ambush Commander put up a SVN repository for it. Search the boards for the details.
Posted: Fri Sep 01, 2006 9:52 am
by Luke
it's on hold until ambush (it was ambush right?) finishes a few things (can't remember what they are --HTMLPurifier?)
Posted: Fri Sep 01, 2006 10:04 am
by alex.barylski
ok then...I just wanted to see how it was moving along...it was way to complex for me to consider using it...
I have my own system in the works anyways...
Posted: Fri Sep 01, 2006 10:37 am
by matthijs
I was following the thread with great interest as well. Bit too complicated to be able to use it myself, but enough to learn a thing or two.
Posted: Fri Sep 01, 2006 11:18 am
by alex.barylski
Authentication...in it's most atomic state is very simple...answering (IMHO) a single question, so thats why I was turned off by the community proposal...or even Zend for that matter...
Simply put, authenticaiton answers the question: "Are you logged in"
I dislike classes/libraries that try and mash authorization, session control, user creation, etc...those are all outside the domain of authentication...
Even CAPTCHA is outside the domain of an authentication library...but I suppose it seems useless to write a class which contains a single function, so people start looking for filler code and one thing leads to another and BAM you have a full blown security library, instead of a simple modular authentication class...
Posted: Fri Sep 01, 2006 12:27 pm
by Ambush Commander
Heh, I think the single greatest contribution of that project so far was
AuthTools notes.
Yep, it was put on hold until I wrangled HTMLPurifier into shape.
Simply put, authenticaiton answers the question: "Are you logged in"
The next logical question, then, is
How did you log in? It took me a while to figure out how all the bits fit together. Authentication isn't atomic, although most of the time it is.
Posted: Fri Sep 01, 2006 12:29 pm
by Weirdan
Simply put, authentication answers the question: "Are you logged in"
Nope. Simply put, authentication answers the question: "Who you are and can you prove that".
Posted: Fri Sep 01, 2006 12:31 pm
by Ambush Commander
Nope. Simply put, authentication answers the question: "Who you are and can you prove that".
Who's responsible for answering "How did you prove that?"
Posted: Fri Sep 01, 2006 12:35 pm
by Weirdan
Who's responsible for answering "How did you prove that?"
There are different approaches. I prefer to check client's SSL certificate.
Posted: Fri Sep 01, 2006 12:36 pm
by Ambush Commander
What I mean is if you allow multiple ways of letting a user prove who they are, how does the rest of the system figure out how the user proved it?
Posted: Fri Sep 01, 2006 1:30 pm
by Weirdan
how does the rest of the system figure out how the user proved it?
Hmm... I don't think the rest of the system has to know 'how'. Isn't it enough to just know the user indeed proved that?
Posted: Fri Sep 01, 2006 1:31 pm
by Ambush Commander
Well, some people think that letting a person do administrative work on just a remember me token is insecure.

Posted: Fri Sep 01, 2006 2:03 pm
by alex.barylski
Weirdan wrote:Simply put, authentication answers the question: "Are you logged in"
Nope. Simply put, authentication answers the question: "Who you are and can you prove that".
I'm not sure I follow...and if I do...I'm not sure I agree...
What do you mean, can you prove it??? Using SSL isn't always an option...
You can verify the details were entered by a human using a Turing test like CAPTCHA, but thats about it considering the medium were using and technology available to us...
What other methods do you propose?
Posted: Fri Sep 01, 2006 2:09 pm
by Weirdan
Well, some people think that letting a person do administrative work on just a remember me token is insecure.
Well, some people provide only command-line administrative interface
The code that uses authenticator could provide the 'required security level' argument to it, exempli gratia.