RE: external ACL

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Fri, 20 Jul 2001 10:36:01 +0200

> > Actually, I think I'd need it. There's an awful habit of
> password-sharing
> > in some places.
>
> And the strict mode is not acceptable to you? Completely denying the
> second user access until the IP TTL has expired.

There's the problem of user changing workstation too...
Sure, I can work around it. But it's a nice feature to have IMO. Of course
it's a matter of cost vs benefit.
What's so hard in keeping it though? it's just a variant of the strict mode,
just
remove the IP from the cache while you deny..

> I only questioned the need of the "soft/automatic" mode.

As explained above, I don't see how it can require more than 2 lines of
additional code, if put in the right perspective :)

> > > (if someone could explain the
> > > logics behind
> > > resubmitting exactly the same credentials as was rejected
> I would be
> > > glad to know..)
> >
> > Maybe as a workaround for buggy server-side authenticators?
>
> Not a valid concern, unless ofcourse if the browser and
> server have the
> same author and that author feels it is easier to work around their
> server by patching their browser..

Might be. I don't know of any such softare, and you didn't give any names.

> My only explanation is a bug occuring as a sideeffect of implementing
> challenge based schemes having more than one authentication exchange
> step.

Okay, you might as well have given the name now :)

Maybe it's a misguided server crash resiliency feature
(I give the unnamed software author the benefit of the doubt).

-- 
	/kinkie
Received on Fri Jul 20 2001 - 02:28:51 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:07 MST