John, You don't have to buy our point, it was offered for free.
Seriously, the remark was a short way of saying something more complicated, which is that I would not trust various Perl data handling techniques to secure my accounting transactions. The limitation is the security of the http protocol, and that is going to be the case regardless of what implementation language I use, and what techniques I use. (Okay, Sql-ledger's way of doing this _is_ less secure than it needs to be, but I still wouldn't trust http basic auth outside our firewall.) When you want to access your company's or a client's accounting data over the Internet, that's opening yourself to a whole new category of risk, so it's appropriate that you give some serious thought to how you're going to make it secure. I think Carey Durbin is on the right track in suggesting SSL, because it protects your authentication, not to mention the accounting data, from snooping. But SSL by itself might not be enough, depending on how important your security is to you. Maybe you would be satisfied with http digest authentication to a secured Sql-ledger directory, but maybe you don't think that's strong enough. Maybe you would want to require clients to prove they are who they say they are, before allowing even an SSL connection to the server. You might do this by requiring users to present a browser certificate, or, if your network is kerberized, you might use kx509. Or you might require users to tunnel to the server over a VPN or ssh session. There are other possibilities, and all of them are compatible with SQL-Ledger in its current version. Matt On Mon, 2002-10-14 at 22:16, John Summerfield wrote: > On Tue, 15 Oct 2002 01:08, Elizabeth Ziph wrote: > > [monk] omits to mention: sql-ledger works, correctly. Code is > > reasonably structured. This code review omits to measure the value the > > code delivers. Safety concerns can be addressed by running on a secure > > Intranet. > > I don't buy the Monks point, but I don't buy yours either. People want to (and > do) access their accounts over the Internet. > > With SL one can visit a client, perform a service, and from the client's > office, befor leaving, record the transaction, print an invoice, exact and > record payment. > > So, security is important, and so is undestanding whether (and why) the > transactions can be done securely. > > > > > -- > Cheers > John Summerfield > > > Microsoft's most solid OS: http://www.geocities.com/rcwoolley/ > Join the "Linux Support by Small Businesses" list at > http://mail.computerdatasafe.com.au/mailman/listinfo/lssb > > > > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > ------------------------------------------------------- > (un)subscribe: http://lists.sourceforge.net/lists/listinfo/sql-ledger-users > Archive: http://www.mail-archive.com/[email protected]/ -- Matt Benjamin The Linux Box 206 South Fifth Ave. Suite 150 Ann Arbor, MI 48104 tel. 734-761-4689 fax. 734-769-8938 cel. 734-216-5309 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------- (un)subscribe: http://lists.sourceforge.net/lists/listinfo/sql-ledger-users Archive: http://www.mail-archive.com/[email protected]/
