Log file Viewer

[17:41:20] <sumanah> EWDurbin: di_codes woodruffw so it looks like in our help text for Warehouse we're going to refer to it as two factor authentication (2FA) rather than MFA

[17:41:55] <sumanah> am I right in understanding that in public communications we're fine with calling it 2FA rather than MFA because we are only going to be allowing 2 forms rather than 3+ forms of auth?

[17:42:09] <sumanah> (as in 2 rather than 3+ forms of auth necessary for a single login)

[17:56:50] <sumanah> woodruffw: actually I could use clarity on a few things - lemme know if you have time for a quick phone call in the next hour?

[18:00:40] <woodruffw> sumanah: sure, i could do a call any time during this hour (2-3PM)

[18:01:51] <woodruffw> (following up on the PSF slack right now)

[18:09:20] <sumanah> Thanks woodruffw

[18:09:27] <woodruffw> no problem :)

[18:09:28] <sumanah> ok so to make sure I understand, in my own words

[18:09:42] <sumanah> well actually before I do that - could you speak to 2FA vs MFA?

[18:11:12] <woodruffw> sure: 2FA and MFA *mostly* mean the same thing in this context. in principle they refer to slightly different security models (having >2 distinct factors, like you said), but nobody agrees on what third factors are and it ends up being used interchangeably with "2FA" for the most part

[18:11:27] <woodruffw> for our use case, all that matters is that we're consistent IMO

[18:12:24] <woodruffw> for background: a first factor is something you know (password), a second factor is something you possess or something you are (a fingerprint/TOTP/security key)

[18:12:48] <sumanah> right, I remember that from Schneier

[18:12:59] <sumanah> (I figure you're speaking not just to me but The Audience here :) )

[18:13:10] <woodruffw> yup!

[18:13:30] <woodruffw> i'm personally guilty of using 2FA and MFA to mean the same thing

[18:13:34] <sumanah> [IMMORTALIZED in http://kafka.dcpython.org/day/pypa-dev/2019-04-30 ]

[18:13:38] <sumanah> AHA

[18:15:30] <sumanah> woodruffw: ok I'm gonna say "2FA" in public communications then

[18:15:42] <woodruffw> so to stop myself from rambling: either is fine as long as we're consistent. i used "2FA" within the PR and parts of the codebase now refer to second factors, so "2FA" is a good choice

[18:15:48] <woodruffw> perfect!

[18:16:09] <sumanah> woodruffw: and as for the FIDO/U2F stuff, in public communications I'm gonna say (as appropriate to the audience):

[18:17:05] <sumanah> if you think you want to use FIDO/U2F stuff, you probably actually want to use a WebAuthn device/tool/thing, and we will be working on supporting it next, but please do try out the TOTP functionality so we can shake out its bugs, you can change the device later

[18:17:34] <pancakes09> Is the PSF Slack open to everyone?

[18:19:02] <sumanah> I'm actually not sure about that

[18:19:22] <sumanah> there was a private question I needed to ask William so I asked it there but I then moved the conversation here

[18:20:14] <sumanah> I wonder whether other people have as strong an association between Yubikey https://www.yubico.com/ and U2F as I did up till 5 min ago

[18:20:21] <woodruffw> sumanah: that sounds pretty good to me. one small nit: just call it "U2F" because "FIDO" is so overloaded (name of the org + multiple differing standards, some of which are unrelated to U2F)

[18:20:26] <sumanah> ok

[18:20:41] <sumanah> woodruffw: sure, I hear ya. argh names!!

[18:21:10] <woodruffw> verily one of the hardest problems in CS :-)

[18:21:23] <sumanah> ha, yep

[18:21:34] <sumanah> woodruffw: do users need to verify email on PyPI in order to enable TOTP? my understanding is no

[18:21:43] <sumanah> I mean it's a good idea, but it's not required. right?

[18:21:52] <woodruffw> correct, not required

[18:22:33] <sumanah> di_codes: hey, in your opinion, if something glitches during this 2FA beta period, having a verified email address will make account recovery a little smoother for the users, right?

[18:23:24] <sumanah> woodruffw: I think that's it for the things I need to check right now with you! I'll share my announcement text on GitHub in https://github.com/pypa/warehouse/issues/5661 so you can correct stuff. hope to send it out tomorrow

[18:23:28] <sumanah> or even tonight

[18:24:09] <sumanah> woodruffw: you've probably seen that several people interested in this topic are going to be at PyCon

[18:25:17] <sumanah> but you don't plan to be there, correcy?

[18:25:20] <sumanah> correct*

[18:26:16] <woodruffw> yes, unfortunately

[18:26:26] <sumanah> woodruffw: who else from Trail of Bits might be there?

[18:26:51] <woodruffw> sumanah: Paul Kehrer for sure, possibly some other people (i haven't checked in with everybody)

[18:27:08] <sumanah> woodruffw: if you could, and could let me know, that'd be cool!

[18:27:26] <sumanah> or speak up on https://discuss.python.org/t/pycon-us-packaging-mini-summit-2019/833/6

[18:27:29] <woodruffw> will do!

[18:31:12] <woodruffw> sumanah: okay, did a quick poll: i think Paul is the only one going (Infiltrate is one of our big almost-all-hands events every year, so it's unfortunate that they line up like this...)

[18:33:14] <sumanah> woodruffw: ok - remind me of Paul's surname or handle? I'm having a bit of trouble

[18:33:34] <sumanah> Paul Kehrer ?

[18:33:39] <woodruffw> sumanah: he goes by reaperhulk on github, i believe that's his handle elsewhere as well

[18:33:44] <woodruffw> but yes, Paul Kehrer

[18:33:45] <sumanah> ah yes

[18:33:47] <sumanah> reaperhulk, got it

[18:52:14] <ehashman> (note that reaperhulk is an anagram of Paul Kehrer!)

[18:52:33] <ehashman> he is on Freenode but not in this channel.

[18:54:03] <sumanah> Ahhhhhh

[18:56:35] <ehashman> you might try #cryptography-dev!

[20:33:53] <sumanah> working on https://wiki.python.org/psf/WarehousePackageMaintainerTesting