Re: [Evolution-hackers] Authentication/Password Issue in Evolution Data Server .....

From: Mike Mestnik <cheako911 yahoo com>
To: Chris Toshok <toshok ximian com>
Cc: Amit Shrivastava <samit novell com>, evolution-hackers lists ximian com
Subject: Re: [Evolution-hackers] Authentication/Password Issue in Evolution Data Server .....
Date: Wed, 10 Mar 2004 18:00:48 -0800 (PST)

Yes.  We must allways plan for untrusted code to be run on the part of the
user.  Granted there is not much we can do about it but we can make it so
that the passwords remain safe and that one applications will be able to
use them.  That is to say no password or key caching should happen in a
lib.

--- Chris Toshok <toshok ximian com> wrote:
> Hm, insecure how?  Meaning the "once one client authenticates they're
> all authenticated" problem?  This is definitely an issue, if you're
> mixing trusted code (evolution, say) and non-trusted code (some libebook
> using script your script-kiddie friend wrote)
> 
> Chris
> 
> On Wed, 2004-03-10 at 11:08, Mike Mestnik wrote:
> > This would seam vary difficult to make secure, I.E. Java appelets from
> the
> > web.  However I think I'm going to have a simular problem, thought I
> > haven't wet cam accross documantation in the ebook docs for
> > authentication.
> > 
> > --- Amit Shrivastava <samit novell com> wrote:
> > > Hi,
> > > 
> > > I am using evolution-data-server API to get addressbooks data for
> OO.o,
> > > so at the backend it uses ldap server, groupwise servr etc based on
> the
> > > URI. 
> > > 
> > > For authenticating to the backend server like ( ldap server,
> groupwise
> > > server etc ), it is required to provide password for each of the
> server
> > > and manage these passwords in the client, "evolution" also
> > > caches/manages these passwords , similarly each of the client have
> to do
> > > password some management. Which is not a good thing. 
> > > 
> > > It should be such that once a client ( either evolution ) provides
> the
> > > password it should be cached by the eds server and managed
> subsequently
> > > and the client should'nt care about the backend authentication. I
> hope
> > > we can avoid even first time password something like iLogin, once I
> > > login in my desktop i dont need to provide password for any
> applications
> > > :-).
> > > 
> > > It will be good option that the passwords for the backends are
> managed
> > > by evolution-data-server, and client just need to tell other
> > > configuration parameters, and never meddle with the passwords.
> > > 
> > > 
> > > regards,
> > > Amit 
> > > _______________________________________________
> > > evolution-hackers maillist  -  evolution-hackers lists ximian com
> > > http://lists.ximian.com/mailman/listinfo/evolution-hackers
> > 
> > 
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Search - Find what youre looking for faster
> > http://search.yahoo.com
> > _______________________________________________
> > evolution-hackers maillist  -  evolution-hackers lists ximian com
> > http://lists.ximian.com/mailman/listinfo/evolution-hackers


__________________________________
Do you Yahoo!?
Yahoo! Search - Find what you?re looking for faster
http://search.yahoo.com

References:
- Re: [Evolution-hackers] Authentication/Password Issue in Evolution Data Server .....
  - From: Chris Toshok

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]