Discussion Forum For Bishopric

Some discussions just don't fit into a well defined box. Use this forum to discuss general topics and issues revolving around the Church and the technology offerings we use and share.
Eric Werny-p40
Member
Posts: 58
Joined: Wed Feb 07, 2007 8:21 am
Location: St. George, Utah
Contact:

Discussion Forum For Bishopric

Postby Eric Werny-p40 » Fri Dec 14, 2007 5:44 pm

We are trying an experiment with the use of a double level password protected discussion forum.

Due to our crazy employment schedules of each member of our bishopric, I can up with the idea
of using forum board to assist us in keeping track of our assignments. This allows our executive
secretary to collect items that need to be put on the Sunday meeting agenda.

I see this as an opportunity for our good Bishop who is a CPA, facing tax season, and will be work
insane hours.

Have any of your tried this idea?

EW

The_Earl
Member
Posts: 278
Joined: Wed Mar 21, 2007 8:12 am

Security

Postby The_Earl » Sun Dec 16, 2007 4:28 pm

I have not tried this.

I would think a better solution would be a certificate / PKI system. Three passwords are not really any more secure than one, since if you can get (or guess) one, then the process to get the rest is similar. You really need to find a different method to authenticate.

The general rules go something like:
Something you know (password / username)
Something you have (card / key fob / key)
Something you are (fingerprint / appearance)

Notice that your bank uses two separate methods (card AND pin). By using a certificate, you add 'something you have', the certificate, to the authentication process in addition to the 'known' password and username..

I am not familiar with using client side certificates to authenticate web users, but I understand it is possible. It is also trivially simple to generate a certificate and install it on the machines needed. You do need to distribute the certificates, but it is a one-time cost, and simple enough that a tech savvy person could do it.

I'll see if anyone can shed some light on this. I'll see what I can figure out in the mean time.

I have used PKI keys to authenticate SSH sessions, but that is a bit different.

Thanks
The Earl

Eric Werny-p40
Member
Posts: 58
Joined: Wed Feb 07, 2007 8:21 am
Location: St. George, Utah
Contact:

Cert

Postby Eric Werny-p40 » Sun Dec 16, 2007 9:33 pm

This idea is in a beta stage and everyone involved has been briefed to keep it simple until we see if this
idea works or not.

I am putting in place an SSL Cert and a number of other layers. May even play with VPN tunnelling.

We had a little proof of concept tonight when the exe. sec. needed some data, and we could have had the Bishop log on and give him the entire list in the system, by cutting and pasting.

I will report back how this is going.

EW

User avatar
thedqs
Community Moderators
Posts: 1038
Joined: Wed Jan 24, 2007 8:53 am
Location: Redmond, WA
Contact:

Postby thedqs » Sun Dec 16, 2007 10:29 pm

The Earl wrote:I am not familiar with using client side certificates to authenticate web users, but I understand it is possible. It is also trivially simple to generate a certificate and install it on the machines needed. You do need to distribute the certificates, but it is a one-time cost, and simple enough that a tech savvy person could do it.


You can have client side certificates, but the problem is the verification chain you need to trusted authority to sign. And the signiture is what costs the pretty penny for not much.
- David

The_Earl
Member
Posts: 278
Joined: Wed Mar 21, 2007 8:12 am

Verified Certificates

Postby The_Earl » Sun Dec 16, 2007 11:50 pm

thedqs wrote:You can have client side certificates, but the problem is the verification chain you need to trusted authority to sign. And the signiture is what costs the pretty penny for not much.


You wouldn't need a trust broker to sign the certificates for this project. You could create a key and sign them yourself as long as you protected the original key. If the signing key ever got out, you would have to generate another, and new certificates. This isn't that hard to do, but it is difficult to figure out if someone you don't intend has the original private key.


Return to “General Discussions”

Who is online

Users browsing this forum: No registered users and 1 guest