Subject: CAcert Code Development list.
List archive
- From: Markus Warg <cacert AT quarkus.de>
- To: cacert-devel AT lists.cacert.org
- Subject: Re: the 2 checks rule and the 1 point rule [1-3,5][patch]
- Date: Wed, 30 Sep 2009 16:32:51 +0200
Hi Ian,
Ian G schrieb:
> On 30/09/2009 15:43, Markus Warg wrote:
>> AFAIK the hash is calculated once per account, so each account gets its
>> own unique hash.
>
>
> Hmmm. You mean something like sha1($username) ? That isn't so good :)
Don't know how the hash gets calculated, thats the plain old already
existing mail ping, I'd guess. I suppose that it uses something
different from the user name for building the hash. I'd use real random
numbers for that, because WE administratively connect the user id to the
hash, there must not be an mathematical dependency.
>> Thats not the problem. The issue Daniel points to is
>> that we need to tell the user what he has to put into DNS, WEB, WHOIS as
>> an alternative to email validation. If we present the hash the user can
>> take the string and fake an email validation.
>
>
> OK, so sha1(username + random + $method) where $method is dns, web, etc.
Or leave the mailping hash as is and just generate a 2nd one (maybe same
mechanism). Mathematically independent from hash #1 and independent from
the user name, id or mechanism.
> In some sense we need to initiate the check. So the user has to go to
> the online system, log in, and then hit the button that says "I want
> check X for domain Y" At that point, the system generates the token,
> stores it, and tell the user what it is.
>
> Right?
For DNS, WEB, WHOIS check we need to tell the user (because he has to
put the code into an location where CACert can check). For mail ping we
must not tell the user, because we want to check if he is the guy who
got the mail.
Thats why I would appreciate two different hashes (one per method,
method 1=mail, method 2=web,dns,whois).
>> See my 2nd comment to seperate hashes, means things get more complicated
>> (because at least mail& remaining methods) have different hashes. Maybe
>> one hash for mail and a 2nd one (completely independent from hash #1)
>> for web (stored in an distinct database field as well)?
>
>
> Yes, I agree, each check should generate a separate unique number for
> the user to place in that place.
>
> (On the bug page I was suggesting the overall method should be the same,
> but I agree the numbers should vary.)
>
>
>
>
> iang
ciao,
Markus
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Re: the 2 checks rule and the 1 point rule [1-3,5][patch], Ian G, 09/30/2009
- Re: the 2 checks rule and the 1 point rule [1-3,5][patch], Markus Warg, 09/30/2009
- Re: the 2 checks rule and the 1 point rule [1-3,5][patch], Ian G, 09/30/2009
- Re: the 2 checks rule and the 1 point rule [1-3,5][patch], Markus Warg, 09/30/2009
- Re: the 2 checks rule and the 1 point rule [1-3,5][patch], Michael Tänzer, 09/30/2009
- Re: the 2 checks rule and the 1 point rule [1-3,5][patch], Markus Warg, 09/30/2009
- Re: the 2 checks rule and the 1 point rule [1-3,5][patch], Ian G, 09/30/2009
- Re: the 2 checks rule and the 1 point rule [1-3,5][patch], Markus Warg, 09/30/2009
Archive powered by MHonArc 2.6.16.