[Zope] Zope security management

Bill Welch bill@carbonecho.com
Tue, 20 Mar 2001 15:02:24 -0500 (EST)


Thanks for all the responses to the 'password in the clear' segment of
this thread.

I see another issue arising out of this. For all the effort that's gone
into authentication/authorization/rols, nothing has been done about
enforcing encryption.

By that, I mean distinguishing requests that can only be sent over
encrypted channels. SSLAbsoluteURL, AFAIK, can't prevent someone from
constructing a url to get the same page in the clear. Short of going to an
all SSL site, I haven't found any useful way to ensure that confidential
pages are available *only* encrypted.

> Given the availability of Apache+SSL (and otherz like Roxen) to
> front-end Zope, we are highly unlikely to add SSL into the Zope
> core;  it incurs non-trivial development and configuration costs
> for those who *don't* need it.

OK, the issue isn't the encryption method (SSL), it's designating pages as
confidential and ensuring that their delivery is encrypted. I think it has
to be designed into zope just as solidly as users and roles. That's why I
think there's a DC issue here.

Bill.