[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Working on a security best practices document

After reading your [Chris's] explanation to Michael about the way auth is handled in 1.3, something occurred to me.

In the current system, the application itself handles all authentication. It deals with the DBM directly on behalf of all users.

In the new system, you are offloading authentication to the web server, and are therefore limited to the auth and encryption schemes offered by Apache et al?

I was not following the discussion very closely until the last couple of messages; apologies.

So what exactly is the sequence of authentication, SSL aside?

I will note re SSL, that I may not want SSL, etc., in an (Open)VPN based environment. Not that it would be too detromental to use, but it is an unnecessary layer with pre-established P2P tunneling.

Forgive my playing catchup.