Alan Burlison wrote:
> Simon Phipps wrote:
>
>>> You have a single log in to the site, the same credentials are used
>>> for both editing web pages and managing access to source code.
>> Right. And I only want one log-in. What I'm suggesting is that you don't
>> age the credentials uniformly across the site. Rather, I am suggesting
>> that you age them aggressively in areas where the leverage gained by
>> abuse is strong (e.g. changing SSH keys) and age them very casually
>> elsewhere. I once again assert that it's a bad choice to burden every
>> interaction simply to protect a very small minority of interactions.
>
> That's difficult to implement and will be confusing for users. We won't
> therefore be doing that.
So instead should we be encouraging everyone to move all webpage content
to the genunix wiki, with its less obnoxious authentication timeouts, and
abandon all use of opensolaris.org for everything but the source code?
Will that be less confusing for users than simply always requiring
authentication to change your ssh key and allowing long timeouts for
cookies for the rest of the site? (As Simon points out, I find nothing
confusing about Amazon remembering who I am when I visit, but making me
type my password before accessing my credit card.)
Does anyone use the cookies to track metrics of how often our registered
users visit the site? With cookies forced to expire, the only users who
will login will be those who need to edit pages, and the vast majority
of our registered users will return to being anonymous.
--
-Alan Coopersmith- [EMAIL PROTECTED]
Sun Microsystems, Inc. - X Window System Engineering
_______________________________________________
website-discuss mailing list
[email protected]
