Re: [Tools-team] Agenda for the 14 June 2006 Teleconference
Henrik Levkowetz <henrik@levkowetz.com> Wed, 14 June 2006 17:39 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com)
by megatron.ietf.org with esmtp (Exim 4.43)
id 1FqZL9-0005eX-2V; Wed, 14 Jun 2006 13:39:39 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org)
by megatron.ietf.org with esmtp (Exim 4.43) id 1FqZL7-0005eQ-Bj
for tools-team@ietf.org; Wed, 14 Jun 2006 13:39:37 -0400
Received: from av9-2-sn2.hy.skanova.net ([81.228.8.180])
by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FqZL5-00012s-Ta
for tools-team@ietf.org; Wed, 14 Jun 2006 13:39:37 -0400
Received: by av9-2-sn2.hy.skanova.net (Postfix, from userid 502)
id 1A151382E4; Wed, 14 Jun 2006 19:39:35 +0200 (CEST)
Received: from smtp4-1-sn2.hy.skanova.net (smtp4-1-sn2.hy.skanova.net
[81.228.8.92]) by av9-2-sn2.hy.skanova.net (Postfix) with ESMTP
id 0A34338043; Wed, 14 Jun 2006 19:39:35 +0200 (CEST)
Received: from shiraz.levkowetz.com (81-232-110-214-no16.tbcn.telia.com
[81.232.110.214])
by smtp4-1-sn2.hy.skanova.net (Postfix) with ESMTP id ECE5937E46;
Wed, 14 Jun 2006 19:39:34 +0200 (CEST)
Received: from localhost ([127.0.0.1])
by shiraz.levkowetz.com with esmtp (Exim 4.62)
(envelope-from <henrik@levkowetz.com>)
id 1FqZL3-0003Z8-SK; Wed, 14 Jun 2006 19:39:34 +0200
Message-ID: <449049D5.9030204@levkowetz.com>
Date: Wed, 14 Jun 2006 19:39:33 +0200
From: Henrik Levkowetz <henrik@levkowetz.com>
User-Agent: Thunderbird 1.5.0.4 (Macintosh/20060530)
MIME-Version: 1.0
To: Tero Kivinen <kivinen@iki.fi>
Subject: Re: [Tools-team] Agenda for the 14 June 2006 Teleconference
References: <44902CF5.4030606@levkowetz.com>
<17552.16412.516987.746408@fireball.kivinen.iki.fi>
In-Reply-To: <17552.16412.516987.746408@fireball.kivinen.iki.fi>
X-Enigmail-Version: 0.94.0.0
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: henrik@levkowetz.com
X-SA-Exim-Scanned: No (on shiraz.levkowetz.com);
SAEximRunCond expanded to false
X-Spam-Score: 0.1 (/)
X-Scan-Signature: c0bedb65cce30976f0bf60a0a39edea4
Cc: Tools-team <tools-team@ietf.org>
X-BeenThere: tools-team@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "The purpose of the TOOLS team is to provide IETF feedback and
guidance during the development of software tools to support
various parts of IETF activities." <tools-team.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tools-team>,
<mailto:tools-team-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tools-team>
List-Post: <mailto:tools-team@ietf.org>
List-Help: <mailto:tools-team-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tools-team>,
<mailto:tools-team-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0143312258=="
Errors-To: tools-team-bounces@ietf.org
Hi Tero, on 2006-06-14 18:58 Tero Kivinen said the following: > Henrik Levkowetz writes: >> 2. Status review >> >> * Dashboard >> - Henrik > > Some comments about loginmgr. > > 1) That login manager really needs to require TLS protection, i.e > mandate that both the forms and the posts are always using TLS. Yes. But to do that, I need a proper cert for tools.ietf.org, which I don't have. I've been planning to talk with Ray about it for some time, but no time... I assume that this has to go through some entity that can verify that we have a right to get a cert for tools.ietf.org. I also wonder if we need separate certs for tools.ietf.org, www1.tools.ietf.org, www2.tools.ietf.org and www3.tools.ietf.org... > 2) The URL for changing password should only work exactly once, not > for 24 hours. The problem with 24 hours is that if someone manages > to get the URL later from my mailbox or some other place he can > change my password after I changed it. If it works exactly once, > either I will get error that password has already been changed > using the URL (i.e. I know there was attacker who stole my URL) or > the attacker cannot change my password after I have successfully > changed it. Perhaps storing the used auth sha1sum to some directory > and checking that it cannot be there before continuing. I agree, and this is already on my todo list, but I wanted to get the base functionality out there first. This can be accomplished without changing what I have now, only putting in an additional check in the script which verifies the hash. Something else which you haven't mentioned but is also on my todo list is rate limiting on requesting the mail with a new password URL, so people can't anonymously annoy others with a stream of mails with new password URLs. Thanks for the feedback :-) Henrik
_______________________________________________ Tools-team mailing list Tools-team@ietf.org https://www1.ietf.org/mailman/listinfo/tools-team
- [Tools-team] Agenda for the 14 June 2006 Teleconf… Henrik Levkowetz
- [Tools-team] Agenda for the 14 June 2006 Teleconf… Tero Kivinen
- Re: [Tools-team] Agenda for the 14 June 2006 Tele… Henrik Levkowetz
- Re: [Tools-team] Agenda for the 14 June 2006 Tele… Tero Kivinen
- Re: [Tools-team] Agenda for the 14 June 2006 Tele… Henrik Levkowetz