On 7/02/11 2:38 AM, Florian Weimer wrote:
* Gervase Markham:
Goal: fix bug 570252. Provide 2-factor authentication for some
Bugzilla accounts.
https://bugzilla.mozilla.org/show_bug.cgi?id=570252
The IP address restriction is a pretty strong factor. Basically, it
means that a potential attack
On 02/06/2011 05:38 PM, From Florian Weimer:
The IP address restriction is a pretty strong factor.
Florian, tell me what your IP is and I'll log into Bugzilla next time
with that IP. Getting to know your IP is fairly easy too.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP:start...@s
* Marsh Ray:
> My personal opinion is that IP source addresses are not actually a
> particularly strong factor. Here are some reasons:
It really depends on what you're dealing with. Mozilla shouldn't
disclose that to the general public, so it's difficult to make good
recommendations.
>> As a re
On 02/06/2011 09:38 AM, Florian Weimer wrote:
The IP address restriction is a pretty strong factor. Basically, it
means that a potential attacker would have to compromise a device
quite close to the user (possible the terminal itself).
We end up in a deep discussion about this every few weeks
* Gervase Markham:
> Goal: fix bug 570252. Provide 2-factor authentication for some
> Bugzilla accounts.
> https://bugzilla.mozilla.org/show_bug.cgi?id=570252
The IP address restriction is a pretty strong factor. Basically, it
means that a potential attacker would have to compromise a device
qui
On Feb 2, 2011, at 7:15 AM, aerow...@gmail.com wrote:
>
> On Tue, Feb 1, 2011 at 1:19 PM, Marsh Ray wrote:
>> On 02/01/2011 02:41 PM, Anders Rundgren wrote:
>>
>> What about the client cert in a smart card?
>>
>> That's old and standard and supported by Mozilla.
>>
>> I don't know what kind
Hello,
On Feb 1, 2011, at 10:02 PM, Marsh Ray wrote:
> On 02/01/2011 10:56 AM, Gervase Markham wrote:
>> Goal: fix bug 570252. Provide 2-factor authentication for some Bugzilla
>> accounts.
>> https://bugzilla.mozilla.org/show_bug.cgi?id=570252
>>
>> Sub-goal: do it in a way which doesn't involve
Matej Kurpel wrote:
On 3. 2. 2011 9:21, Anders Rundgren wrote:
Matej Kurpel wrote:
On 2. 2. 2011 13:37, Gervase Markham wrote:
On 01/02/11 18:08, Matej Kurpel wrote:
@Q4: I am doing this as my diploma thesis, it works for Windows Mobile
phones/PDAs and is tested with Firefox and Thunderbird.
On 3. 2. 2011 9:21, Anders Rundgren wrote:
Matej Kurpel wrote:
On 2. 2. 2011 13:37, Gervase Markham wrote:
On 01/02/11 18:08, Matej Kurpel wrote:
@Q4: I am doing this as my diploma thesis, it works for Windows Mobile
phones/PDAs and is tested with Firefox and Thunderbird. Certificate
login wor
Matej Kurpel wrote:
On 2. 2. 2011 13:37, Gervase Markham wrote:
On 01/02/11 18:08, Matej Kurpel wrote:
@Q4: I am doing this as my diploma thesis, it works for Windows Mobile
phones/PDAs and is tested with Firefox and Thunderbird. Certificate
login works fine in Firefox.
Can you tell us a bit
On 02/02/2011 04:48 AM, Gervase Markham wrote:
> On 01/02/11 23:03, Robert Relyea wrote:
>> 1) use request/not require certificate. If a certificate is supplied,
>> that will show up in the initial handshake. The certificate will tell
>> the server which account and you can bypass login altogether.
On 02/02/2011 06:41 AM, Gervase Markham wrote:
On 01/02/11 20:02, Marsh Ray wrote:
Whether or not client certs count as a second factor is somewhat
philosophical. In some sense, the private key stored in the browser
functions as another "something you know" like a password. If the PC is
pwned, t
On 2. 2. 2011 13:37, Gervase Markham wrote:
On 01/02/11 18:08, Matej Kurpel wrote:
@Q4: I am doing this as my diploma thesis, it works for Windows Mobile
phones/PDAs and is tested with Firefox and Thunderbird. Certificate
login works fine in Firefox.
Can you tell us a bit more about this?
How
On 02/02/2011 02:41 PM, From Gervase Markham:
If your computer is pwned, you have lost. So I'm not worried about the
disadvantages of client certs from that perspective.
If your computer is taken over, neither username.password pairs will
help you...
I'm more worried about their possible us
On 02/02/11 23:48, Gervase Markham wrote:
Sounds technically plausible - we can possibly require all the security
groupt to use Firefox 4 - but seems like it would require some serious
Apache mod_ssl hacking.
Not necessarily - Bugzilla could, for those accounts, instead of
generating the ses
On 01/02/11 23:03, Robert Relyea wrote:
1) use request/not require certificate. If a certificate is supplied,
that will show up in the initial handshake. The certificate will tell
the server which account and you can bypass login altogether. If no
certificate is supplied, you can bounce to user t
On 01/02/11 20:02, Marsh Ray wrote:
Whether or not client certs count as a second factor is somewhat
philosophical. In some sense, the private key stored in the browser
functions as another "something you know" like a password. If the PC is
pwned, they can get the private key too.
If your compu
On 01/02/11 18:08, Matej Kurpel wrote:
@Q4: I am doing this as my diploma thesis, it works for Windows Mobile
phones/PDAs and is tested with Firefox and Thunderbird. Certificate
login works fine in Firefox.
Can you tell us a bit more about this?
How does what you are doing compare to http://mo
aerow...@gmail.com wrote:
On Tue, Feb 1, 2011 at 1:19 PM, Marsh Ray wrote:
On 02/01/2011 02:41 PM, Anders Rundgren wrote:
What about the client cert in a smart card?
That's old and standard and supported by Mozilla.
I don't know what kind of prices you'd have to pay for small quantities
tho
On Tue, Feb 1, 2011 at 1:19 PM, Marsh Ray wrote:
On 02/01/2011 02:41 PM, Anders Rundgren wrote:
What about the client cert in a smart card?
That's old and standard and supported by Mozilla.
I don't know what kind of prices you'd have to pay for small quantities
though.
$119 if you go with
On Tue, Feb 1, 2011 at 12:02 PM, Marsh Ray wrote:
can meet the requirement of "implement it
only for some accounts" (with the implicit requirement that it doesn't
bother or affect people who are not using it). Can a client certificate
solution be made to work?
Those accounts would probably h
On 02/01/2011 12:02 PM, Marsh Ray wrote:
> On 02/01/2011 10:56 AM, Gervase Markham wrote:
>> Dear crypto-hackers,
>>
>> Your thoughts on the following problem would be appreciated.
>>
>> Goal: fix bug 570252. Provide 2-factor authentication for some Bugzilla
>> accounts.
>> https://bugzilla.mozilla
On 02/01/2011 02:41 PM, Anders Rundgren wrote:
Gervase,
The ability to use a chip as holder of credentials for on-line
providers like Bugzilla is unlikely to happen in a major way until
there is an open solution for getting keys down into the
chip/container that is:
1. Usable by non-experts
2.
Gervase,
The ability to use a chip as holder of credentials for on-line
providers like Bugzilla is unlikely to happen in a major way until
there is an open solution for getting keys down into the
chip/container that is:
1. Usable by non-experts
2. Is secure in such a way that banks could use it
On 02/01/2011 10:56 AM, Gervase Markham wrote:
Dear crypto-hackers,
Your thoughts on the following problem would be appreciated.
Goal: fix bug 570252. Provide 2-factor authentication for some Bugzilla
accounts.
https://bugzilla.mozilla.org/show_bug.cgi?id=570252
Sub-goal: do it in a way which
On 1. 2. 2011 17:56, Gervase Markham wrote:
Dear crypto-hackers,
Your thoughts on the following problem would be appreciated.
Goal: fix bug 570252. Provide 2-factor authentication for some
Bugzilla accounts.
https://bugzilla.mozilla.org/show_bug.cgi?id=570252
Sub-goal: do it in a way which d
Dear crypto-hackers,
Your thoughts on the following problem would be appreciated.
Goal: fix bug 570252. Provide 2-factor authentication for some Bugzilla
accounts.
https://bugzilla.mozilla.org/show_bug.cgi?id=570252
Sub-goal: do it in a way which doesn't involve purchasing or running
proprie
27 matches
Mail list logo
