PMXBOT Log file Viewer

Help | Karma | Search:

#pypa-dev logs for Monday the 9th of February, 2015

(Back to #pypa-dev overview) (Back to channel listing) (Animate logs)
[00:00:06] <lifeless> 2FA for access to privileged ops on a site is arguably separate to 2fa for privileged IdP ops
[00:00:13] <lifeless> like account-settings access
[00:00:33] <lifeless> so I'd be fine with a scan-code setup for 2FA, with auth still federated
[00:03:02] <dstufft> the other downside, you say you don't need to worry about password resets, but we still do have to worry about password resets, right now anyone who logged in with google or myopenid can't log into their PyPI account, so they'd have to request a password reset from PyPI to gain access to them.
[00:03:52] <lifeless> what happened to myopenid ?
[00:04:09] <lifeless> oh, it closed down
[00:04:58] <lifeless> so, thats really quite different as a user: they didn't forget their passwords, the site closed down.
[00:05:07] <lifeless> as an operator, yes, pypi admins are hit
[00:05:21] <lifeless> those users should have signed in with a second identity during the warning period
[00:05:26] <lifeless> presumably myopenid emailed them...
[00:08:11] <dstufft> as a site operator it's choosing between give power over a critical part of your website to random third parties or asking people to make a password on your own site
[00:10:58] <lifeless> which is giving other third parties the ability to attack the users if that particular site is slack
[00:11:57] <dstufft> I'm not sure I can parse that sentence
[00:12:17] <dstufft> You mean if that particular site wrote their authentication poorly they can be attacked?
[00:12:38] <lifeless> and/or password reset attacks performed against them
[00:12:49] <lifeless> most sites don't offer or require 2FA
[00:12:54] <dstufft> You can say the same thing about ACLs on a site, or any other random thing
[00:13:12] <lifeless> not if the site doesn't have the feature at all :)
[00:13:21] <lifeless> which is one reason I'm so much a fan of federated auth
[00:13:27] <dstufft> If the site doesn't have ACLs or anything private then what's the point of auth
[00:13:43] <lifeless> I didn't say that
[00:14:02] <lifeless> I mean that I don't need to trust the implementation of credential storage if there isn't any
[00:14:16] <dstufft> sure, but thta's jsut one of dozens or hundreds of things that you have to trust anyways
[00:14:30] <dstufft> instead of trusting credential storage you have to trust their openid implementation
[00:14:52] <lifeless> true
[00:15:21] <lifeless> anyhow, enough said I think. As a user, I adore federated auth and truely hate every site that forces me to make yet another random password up.
[00:15:32] <lifeless> TRUELY HATE.
[00:16:11] <dstufft> and it makes things increasingly more centralized. How many things could people attack if they got your github (or google or whatever) account. For me it would be a lot
[00:18:17] <lifeless> The same mechanism allows running your own IdP, at least if sites allow that :(. Thats shrinking too and makes me sad. Persona had promise there, then they went insane and created local passwords.
[00:21:04] <dstufft> I was hesitant on persona, I think theortically is got the UX better than openid (lets be honest, only nerds are only ever going to view a URL as an identifier, which is why Sign in with X buttons are popular even if X is a OpenID or OAuth) since it used emails
[00:21:12] <dstufft> but it also relied on random email providers to implement it
[00:22:48] <dstufft> which meant it was ultimately doomed to failure
[00:23:43] <lifeless> they had a fallback
[00:23:46] <lifeless> which didn't require that
[00:25:41] <dstufft> sure, but the fallback wasn't much better than a "Sign in with your Mozilla account" button that used openid or oauth or whatever.
[00:25:56] <dstufft> the true goal behind persona was that it'd tie in with your email account
[00:27:17] <lifeless> and the fallback did that
[00:27:28] <lifeless> it fell back to sending you an email that you clicked on
[00:27:41] <lifeless> on your phone or whatever you had that had access to the email account
[00:28:04] <lifeless> later on they broke this
[00:29:05] <dstufft> anyways, I think the value propostion of federated auth for "my tiny little site that does barely nothing" and say, PyPI are completely different. For a tiny little website where they benefit from the extra ease of use over "just click button to sign in" federated auth can be real benefit for both the small site and the user. For something like PyPI I don't think the loss of control over authnetication is really worth it
[00:31:19] <lifeless> https://github.com/mozilla/persona/issues/3494 FTR
[00:31:53] <lifeless> Also, I think that the credibility of Persona as a project that "aims at eliminating passwords" would benefit from giving users the ability to eliminate the fallback password.
[22:49:42] <r1chardj0n3s> dstufft: we should just use http://openstackid.org/ as our identity provider for pypi ;)
[22:50:10] <dstufft> r1chardj0n3s: heh, the software is on my list of things to look at