[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Working on a security best practices document
- Subject: Re: Working on a security best practices document
- From: Luke <..hidden..>
- Date: Thu, 4 Feb 2010 13:14:30 -0500 (EST)
After reading your [Chris's] explanation to Michael about the way auth is
handled in 1.3, something occurred to me.
In the current system, the application itself handles all authentication.
It deals with the DBM directly on behalf of all users.
In the new system, you are offloading authentication to the web server,
and are therefore limited to the auth and encryption schemes offered by
Apache et al?
I was not following the discussion very closely until the last couple
of messages; apologies.
So what exactly is the sequence of authentication, SSL aside?
I will note re SSL, that I may not want SSL, etc., in an (Open)VPN based
environment. Not that it would be too detromental to use, but it is an
unnecessary layer with pre-established P2P tunneling.
Forgive my playing catchup.
Luke