Hello, On Feb 1, 2011, at 10:02 PM, Marsh Ray wrote: > On 02/01/2011 10:56 AM, Gervase Markham wrote: >> Goal: fix bug 570252. Provide 2-factor authentication for some Bugzilla >> accounts. >> https://bugzilla.mozilla.org/show_bug.cgi?id=570252 >> >> Sub-goal: do it in a way which doesn't involve purchasing or running >> proprietary software. >> >> Q1) There is conflicting advice in that bug about whether a client >> certificate-based solution > > Whether or not client certs count as a second factor is somewhat > philosophical. In some sense, the private key stored in the browser functions > as another "something you know" like a password. If the PC is pwned, they can > get the private key too. > > Of course, just about anything is better than just a password alone. Agreed.
>> can meet the requirement of "implement it >> only for some accounts" (with the implicit requirement that it doesn't >> bother or affect people who are not using it). Can a client certificate >> solution be made to work? > > Those accounts would probably have to access a particular URL and be banned > from the main one. May or may not be an issue. Just access through a different IP, re-negotiation through a URL in the the same domain is a mess (especially after the recent re-negotiation flaw and different client-server versions) >> Q2) If not, does anyone know of any commercial 2-factor systems which >> can be implemented entirely with open source tools and software? (I'd >> accept having to purchase closed hardware tokens.) Smart cards. Generic JavaCards can run open source applets (MuscleApplet, CoolKey, through their maturity and universality varies/depends) OpenSC provides an open source PKCS#11 module that works with Firefox. If you have just a few (5, 10) power users, you'll only need to maintain a list of "active" certificates (no need for CRL-s or OCSP-s) and need to do a one time token purchase, which will be quite future-proof. > > Oooh oooh I do! > I work at PhoneFactor (phonefactor.com). We use any ordinary phone as the > second factor and can integrate with nearly anything. Most people already > have cell phones, which can save a lot of deployment pain. I suspect you'll ask for money for running the service globally. And availability depends on your service. > > We have a 25 user version free. We love Mozilla and would love to get you > guys using it. Something tells me we would cut you guys a deal for open > source. > > Right now we have an "SDK" web service interface that you could interface > with in the bugzilla code. We have sample client code for all the main web > scripting languages. If it's not already an open source license, I'm sure > we'd release it. But really it's just exchanging a bit of XML with libcurl or > whatever. > > We also have a PhoneFactor Agent that runs on MS Windows, but of course not > everyone has that as part of their backend systems. > > Sorry if this sounds all sales-y. I'm really just a developer and hacker. But > I do love to discuss this subject. -- @MartinPaljak.net +3725156495 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
