back to the *point* WAS: Re: [thesite] UEUE v.0.2 Update

[Daniel J. Cody]

Mark Nickel wrote:


> Actually, the original question has still gone unanswered:  Theoretically, is
> it possible to create an Apache handler in Perl/whatever for m.e.o. that would
> strip all UEUE-based cookies?


to be honest, i'm not sure.. i'll check it out in the morn


> The 'X-factor', I believe, was the reference to the complexities of using UEUE
> cookie-based authentication on m.e.o.  Please refresh my addled brain on that
> one, Dan??


thats correct


> could build a really kick-ass X.509 certificate handler environment and issue
> certificates from ueue.evolt.org.  Plus we could add biometric user
> authentication!!  :)  sw33t!!!!


retinal scan based ldap authentication perhaps? just a thought here, but 
would a thing like this work at all?:

user goes to dan.evolt.org with X cookie(probably md5'd). dan.evolt.org 
grabs cookie, sends it via xml over local signed ssl certs to 
ueue.evolt.org. ueue.evolt.org assesses cookie, and sends a 'yes' or 
'no' back to dan.evolt.org saying, 'user is cool with these 
credentials'. inter-server communication would be xml packets encrypted 
via locally signed certs. or better yet, ldap over ssl. just some 
thoughts at 10:30 at night aftera  six pack :)

 
> I went to a seminar by a crazy paranoid CSI/FBI guy in Milwaukee.  (There was
> another CodeFest person there, unfortunately I can't remember your name...
> please please forgive me.. :)   )  Some CA guy made a major plug for their SSO
> solution...

ya, greg was telling me about that.. heard the FBI guy pretty much 
bashed MS and sent the MS folks scurrying - not to address their 
problems but - to find holes in open source packages. "Well he said our 
solutions are insecure, but look at how insecure X open source software 
is!!!!!!"

wish i coulda been there, sorry for that uncalled for giddyness :)

.djc.