[Zope] small RFC : how to enhance zopistas' web experience

Jens Vagelpohl jens@zope.com
Thu, 25 Jul 2002 08:39:32 -0400


first of all, i think this idea is very interesting. but the devil is in 
the details, and i'm not sure you realize what it is that you really want 
;)


> Considering that most Zope users are interested in most of these sites,
> except when the language is not english, and that some want to
> really participate, I think this registration process quickly
> becomes very boring, and remembering all the different passwords
> is difficult, unless you always use the same which is insecure.

i'm not sure about that assertion. i think a typical usage pattern is more 
like "everyone has their own small set of sites they visit regularly". i 
would think the number of users who really visit all these sites regularly 
is very small.

secondly, the registration is a one-time thing. you don't have to register 
every time.


> Couldn't it be possible that all these servers share the same
> authentication mechanism, i.e. only usernames and passwords, and
> do all their local stuff on their own (roles, possible actions,
> homepages, etc...), in one word (ok, two) : Centralized Authentication

i think what you *really* want (and the only thing that make bring any 
kind of difference to users at all) is single sign-on. i log into zope.org 
and when i jump to zopezen it will recognize and use the credentials i 
just entered when i visited zope.org.

having all users in the same repository will not make much of a difference 
to users. you still have to "log in" every time you visit a different site.
  that would not bring any discernible advantage, other than the fact that 
you would have the same username and password on all those sites. same 
username and password is kind of bad in itself because if some script 
kiddie finds out about one login he knows them all.

problem with centralized user repository: who would be administering such 
a server? who would be available if one site's webmaster or user has 
problems and needs assistance?


> This would have the great benefit of checking not if someone
> is part of myownlittlezopecommunity.org but the WHOLE Zope
> community, this would also better solder this
> sparse community IMHO.

well, ok, now you have all users in a single directory. i don't see how 
that would bring the community together more. it makes zero difference to 
the user, apart from having the same username/password all over.


> Of course I understand there are strong security drawbacks to this
> approach, but anyway this might be very good to make a real
> network of web sites strongly related to Zope, and could only
> strenghten the Zope community presence on the web.

what security drawbacks? the biggest security drawback is still the fact 
that basic auth and cookie auth send their data unencrypted from browser 
to server and back. that affects every site. the communication between 
server and LDAP can be guarded by SSL.

all in all i think what you really want is single sign-on. where usernames 
and passwords are stored and how is really secondary in that case. what's 
more important (and harder to do) is how can you make authentication 
credentials available to all participating servers so that the user does 
not need to type them in over and over again? basic HTTP auth is too 
limited for that. cookie auth is also problematic because cookies cannot 
be shared across domains.

jens