For your consideration.
-------- Forwarded Message --------
From: Edward J. Huff ed@huff20may77.us To: webmaster@fedoraproject.org Subject: client-side cert should work for Firefox too Date: Sun, 14 Dec 2008 12:39:01 -0500
Since you generate client-side certificates, why don't you generate them for use in place of passwords when logging into the website? Then you wouldn't have to insist on changing passwords.
Ignacio Vazquez-Abrams wrote:
For your consideration.
-------- Forwarded Message --------
From: Edward J. Huff ed@huff20may77.us To: webmaster@fedoraproject.org Subject: client-side cert should work for Firefox too Date: Sun, 14 Dec 2008 12:39:01 -0500
Since you generate client-side certificates, why don't you generate them for use in place of passwords when logging into the website? Then you wouldn't have to insist on changing passwords.
Hello,
We've been looking at using client-side certificates for logging into Fedora Web Services for a while. One of our apps, koji.fedoraproject.org, only does authentication via SSL client certificates. Unfortunately, we've discovered that there's some tricky problems with CSRF and SSL Authentication that we'll need to solve before we're ready to enable this as the preferred method of authenticating for everything.
You can see the current CSRF portion of the SSL plan here: https://fedorahosted.org/fas/wiki/CSRF
-Toshio
infrastructure@lists.fedoraproject.org