User: Password:
|
|
Subscribe / Log in / New account

Passwords

Passwords

Posted May 1, 2014 5:18 UTC (Thu) by mathstuf (subscriber, #69389)
In reply to: Passwords by zlynx
Parent article: A preview of HyperKitty's reimagined mailing list interface

Where is the trust root? I don't want to have to hook into the WoT as seen by joe-schmo.com just to edit mailing list preferences. I also don't think having a "HyperKitty approved" set of global trust root(s) is a good idea. Reminds me too much of the SSL trainwreck we already have on our hands.


(Log in to post comments)

Passwords

Posted May 1, 2014 20:35 UTC (Thu) by clint (subscriber, #7076) [Link]

You could have per-user sets of OpenPGP trust roots, monkeysphere-style.

Passwords

Posted May 1, 2014 21:24 UTC (Thu) by mathstuf (subscriber, #69389) [Link]

Could you give more details? That sounds like giving the user the lock and key to something without knowing what "monkeysphere" is.

Passwords

Posted May 1, 2014 21:52 UTC (Thu) by clint (subscriber, #7076) [Link]

Let's say I have a shell account somewhere where I can run monkeysphere but there is no site-wide Monkeysphere policy or activity. Using whatever alternate methods I currently have to authenticate, I can log in and configure any set of OpenPGP keys to be trusted identity certifiers, and any set of OpenPGP userids to represent authorized users of my shell account.

You can implement the same concepts in anything that uses OpenPGP authentication, without using any Monkeysphere software: in effect, a per-user pair of (trusted keyring and a set of authorized user IDs). Everything is localized solely to you unless you choose it not to be.

Passwords

Posted May 2, 2014 11:24 UTC (Fri) by dskoll (subscriber, #1630) [Link]

That's over-engineering it. mathstuf's suggestion is probably fine: you just have "email me a login link" which times out in an hour or two and have no passwords whatsoever.

Passwords

Posted May 2, 2014 14:35 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

Agreed. It's a mailing list and not a bank account. We don't need to go from "plaintext storage we email you every month" to "PGP-based web of trust" for it. Now, for the banks…


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds